If you are using the default config then your eap.conf must have default_eap_type = md5
Try with peap. On Wed, Oct 26, 2011 at 12:14 PM, Phil Mayers <p.may...@imperial.ac.uk> wrote: > On 26/10/11 14:58, Phil Mayers wrote: >> >> On 26/10/11 14:47, Sergio NNX wrote: >>> >>> This kind of Q&A thing helps no one here! Many people are reporting the >>> same issue on different platforms! I don't think the problem is either >>> with the client or the certificates since I conducted some testing using >>> the same client and the same certificates but an old FR version (1.1.7) >>> and the tests pass. It's easier to blame something else but we could >>> spend that time contributing to the solution and so helping others! >> >> In earnest: What exactly would you like us to do? Be specific. Bear in >> mind that no-one is paid to offer help here. >> >> If you can reproduce the problem reliably, then do so. Carefully >> document the configs that work under 1.1.7, and fail under 2.1.12, >> including the client configuration. Give that information to the list, >> and I'm sure if people are interested, they will take a look. >> >> If no-one is interested, you should start investigating the problem >> yourself - FreeRADIUS is open source. If you lack the skills locally, >> hire a contractor. >> >> I will try to find some time today to test machine auth. >> > > Sorry, this is long. > > tl;dr version - under Windows 7, if you import the CA certificate into the > "Trusted Root Certification Authorities" hierarchy in the MMC "Certificates" > snap-in, Windows 7 user- and machine-auth work just fine against an > out-of-the-box FreeRADIUS 2.1.12 with only two minor changes. > > It works for me. > > === > > > I have just tested machine auth on a Windows 7 client. Everything works as I > expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and default > configs, I made two changes: > > 1. Edit "modules/mschap" to enable the "ntlm_auth" helper like so: > > ntlm_auth = "... --username=%{mschap:User-Name} ..." > > 2. Edit "clients.conf" to add an entry for the switch > > I then started FreeRADIUS, and it auto-generated the certificates. I then > tried a sequence of things on the Windows client. > > First - open the "services" MMC snap-in, and start (and set to auto-start) > the "Wired autoconfig" service > > Second - open the network adapter list, right-click on the wired adapter, > and enable authentication using the default settings (PEAP, MSCHAP inner) > except that I unchecked "use my windows domain login / password" > > I then enabled 802.1x on the port facing the machine. > > == 1st auth == > > Failed. Client did the TLS negotiation, and returned the following error to > FreeRADIUS: > > [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca > TLS Alert read:fatal:unknown CA > TLS_accept: failed in SSLv3 read client certificate A > rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert > unknown ca > SSL: SSL_read failed inside of TLS (-1), TLS session fails. > > This is expected; we haven't yet imported the client cert into the > certificate store. > > == 2nd auth == > > Copy the "ca.cer" file onto the client, double-click on it, follow the > prompts using the defaults. This didn't work - the client did not import the > cert, despite appearing to, so auth again failed. > > == 3rd auth == > > Open "mmc", add the "Certificates" snap-in for "My user account". In the > snap-in, expand the "Trusted Root Certification Authorities" folder, and > right click on the "Certificates" child - select "All Tasks", "Import...". > Browse to the cert & import it. You will be prompted saying "Windows cannot > verify ..." - click OK. > > You should now see the example cert in the list. > > Re-start the 802.1x auth (unplug/reconnect). > > You will be prompted for a username/password, as before - this time, auth > will succeed. > > == 4th auth == > > Return to the network adapter settings. Right-click, select properties. Go > to the Authentication tab, select "Additional settings", and tick the > "Specify authentication mode" box, and select "Computer authentication" from > the drop-down. > > The machine will re-authenticate and, as expected, fail with a bad CA alert: > > [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca > TLS Alert read:fatal:unknown CA > TLS_accept: failed in SSLv3 read client certificate A > rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert > unknown ca > > == 5th auth == > > Return to the "mmc" window; add the "Certificates" snap-in for the computer > account. Again, expand "Trusted Root Certification Authorities" and > right-click on "Certificates" and select "All tasks", "Import..". Browse to > the "ca.cer" and import it. > > Re-start authentication. Authentication will work. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html