Thank you Matthew for the clarification I could successfully get the windows 7 client to try and make a request (you defiantly need to have the certs imported into exactly the correct spots). But now my debug log says that its failing. This is a default 2.1.12 install with the switch added to the clients.conf file.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=204, length=180 User-Name = "host/u...@example.com" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "9C-AF-CA-F4-40-10" Calling-Station-Id = "64-31-50-7D-72-DE" EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x41f4a411366a244a23e887c859436d0b NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = "GigabitEthernet0/16" NAS-IP-Address = 10.11.200.73 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "example.com" for User-Name = "host/ u...@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "host/user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user host/user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 231 to 127.0.0.1 port 1812 User-Name = "host/user" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "9C-AF-CA-F4-40-10" Calling-Station-Id = "64-31-50-7D-72-DE" EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = "GigabitEthernet0/16" NAS-IP-Address = 10.11.200.73 Proxy-State = 0x323034 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 231 to 127.0.0.1 port 1812 User-Name = "host/user" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "9C-AF-CA-F4-40-10" Calling-Station-Id = "64-31-50-7D-72-DE" EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = "GigabitEthernet0/16" NAS-IP-Address = 10.11.200.73 Proxy-State = 0x323034 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=231, length=171 User-Name = "host/user" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "9C-AF-CA-F4-40-10" Calling-Station-Id = "64-31-50-7D-72-DE" EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x0d22b2b1d5102149a8c1c731bc6613dd NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = "GigabitEthernet0/16" NAS-IP-Address = 10.11.200.73 Proxy-State = 0x323034 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 231 to 127.0.0.1 port 1814 Proxy-State = 0x323034 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=231, length=25 Proxy-State = 0x323034 # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/ u...@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 204 to 10.11.200.73 port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 231 with timestamp +14 Cleaning up request 0 ID 204 with timestamp +14 Ready to process requests. On Fri, Dec 7, 2012 at 2:23 PM, Matthew Newton <m...@leicester.ac.uk> wrote: > On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote: > > Sorry, I was not clean with my setup information. We do not have a > domain, > > these are stand alone windows 7 devices. We also have some tablets and > > some linux boxes. Concern right now is the Windows 7 devices. I didn't > > know that you cannot do machine authentication without a domain.... > > You can, but you'll need to handle the certificates on the hosts > manually. That's usually such a pain that the only real solution > is to use AD. If you've got a small number of devices, or can > write some other automated method of deploying certs, then it can > be possible to handle. > > What you /can't/ do is both User auth (mschap - username + > password) *and* Computer auth (certificates - EAP-TLS) in the same > connection, as the default Windows supplicant, like most, doesn't > support client certificates with PEAP (and user auth - mschap - > needs to be inside PEAP). > > > User authentication in my environment is just not an option because all > of > > the devices need to have a connection to the network at all times even if > > nobody is logged in. Should I be using PEAP/EAP-TLS instead? > > There are no good reasons for doing PEAP/EAP-TLS unless you want > to use SoH. PEAP adds overhead to the auth, with no added benefit. > > > If so do you know of any good setup documentation for that? > > I wrote up how to do PEAP/EAP-TLS a while back - you can find it > here: http://q.asd.me.uk/pet > > That said - your connection is trying to do PEAP, so you've > configured your client for either 'certifiates' or mschap inside > PEAP. I forget the exact options in the interface, but you need to > choose 'certificates' rather than 'PEAP', then select the client > certificate that you want to auth with - which will be one that is > signed by the same CA that the CA_file option in your FreeRADIUS > eap.conf file points to. Make sure it's set to 'Computer' auth, > not 'User' or 'User + Computer'. > > In theory, you'll then find that it Just Works. But the Windows > config interface takes a bit of head scratching to get around > until you understand what it's doing under the hood. > > Cheers > > Matthew > > > -- > Matthew Newton, Ph.D. <m...@le.ac.uk> > > Systems Architect (UNIX and Networks), Network Services, > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom > > For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html