Hi,
I'am still having some problems using EAP-TLS with SP3 on XP. Though I
have a partly solution, after excessive googeling. I will provide it
here, because I think a lot of people must have the same problems and if
they're using Freeradius, they will probably look here.
I found that you can't use a registry patch anymore to enable a
machine-based authentification. You need to use XML Files to make a
profile and load it within XP. MS explained that very well in:
http://support.microsoft.com/?scid=kb%3Ben-us%3B929847&x=16&y=10
You need to do it that way, regardless if you have a wired or wlan setup.
So I was very excited, but it's still not working. My radiusd -X -A
shows exactly nothing, if XP reboots, there is no ongoing conversation
or an error. So I enabled debug logging in xp and found some
interessting lines. I thought, because radius isn't writing anything to
the screen, that XP isn't sending anything that was wrong.
OneXModule.LOG says (only quoting lines with "error"):
[1516] 01-22 14:19:31:093: Port(2): 802.1X authentication failed with
reason = "Empfang eines expliziten Eap-Fehlers" and error code = 0x40420110
...
[1516] 01-22 14:19:31:109: (MarshallEapError:1392) Allocated memory
000E1E00, size = 432
...
[1512] 01-22 14:19:31:109: (FreeEapError:1302) Freed memory 000CA730
[1512] 01-22 14:19:31:109: (FreeEapError:1303) Freed memory 000CCFC0
[1512] 01-22 14:19:31:109: (FreeEapError:1304) Freed memory 000CAC60
...
[1904] 01-22 14:19:49:250: Port(3): Received a failure indication from
the local Eap dll with error code 0x40420110 and reason code 0x40420110
[1904] 01-22 14:19:49:250: Port(3): Eap error info contains
winError=0x40420110, reasonCode=0x40420110, EapMethod(Type=0),
rootCauseString=Fehler bei der Authentifizierung, weil ein Problem mit
dem Benutzerkonto besteht.
[1904] 01-22 14:19:49:250: (DuplicateEapError:1320) Allocated memory
000C6290, size = 80
The rootCauseString means: "Error with authentification, because there
is a problem with the useraccount". The errorcode is unkown to google.
EAPOL.LOG says:
[1148] 14:18:17:781: ElRegistryUpdateXPBeta2: Error in RegOpenKeyEx for
base key, 2
[1148] 14:18:17:828: ElUpdateRegistry: ElRegistryUpdateXPBeta2 failed
with error 2
[1148] 14:18:17:828: QEC Init succeeded with dwRetCode = 0
[1148] 14:18:17:828: ElMediaInit: Entered
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in
RegQueryValueEx for cwszSupplicantMode, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in
RegQueryValueEx for cwszPMKCacheMode, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in
RegQueryValueEx for cwszPMKCacheTTL, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in
RegQueryValueEx for cwszPMKCacheSize, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in
RegQueryValueEx for PreauthMode, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in
RegQueryValueEx for PreauthTimeout, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in
RegQueryValueEx for cwszPreauthThrottle, 2, InfoSize=4
...
[1148] 14:18:17:921: ElGetWinStationUserToken: GetWinStationUserToken
failed for SessionId (0) with error (1702)
[1148] 14:18:17:921: ElGetWinStationUserToken: GetCurrentUserTokenW
failed with error (1245)
...
So whats the problem? Is there some kine of Registry hassle? I took a
new PC with a new XP Pro (inkl. SP3) installed. There are no old
leftovers. So eap looks very buggy and beta. The certs are ok, they work
with XP SP2, so why doesn't want SP3 it?
I'am using now Freeradius 1.1.6 (I had 1.1.0) and made no changes to my
setup or config files, since XP SP2, Win2000 and Linux authenticate
without problems. Do I have to change something in Freeradius to make it
work, beside upgrade the version?
Is anyone around here doing an EAP-TLS with XP SP3 machines?
Please give a hint. I'd love to owe you a beer. :-)
TIA
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
