Re: PEAP with Machine auth

2011-10-27 Thread Bonald
The weird thing is that I didn't see that popup

On Wed, Oct 26, 2011 at 5:07 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
 On 10/26/2011 07:53 PM, Francois Gaudreault wrote:

 Correct me if I am wrong, but that should not be needed when you are not
 validating server certificate.

 There are a few issues; let me try to lay them out.

 First: it seems you MUST install the CA on the client (in one or both of the
 user or machine store, depending on whether you're doing user or
 machine-based auth). Authentication will simply fail if you don't install
 the CA - although helpfully Windows does seem to send an invalid CA TLS
 alert.


 Second: If (and only if) you install the CA, then when you FIRST connect to
 a network, you will be shown the dialog box The connection attempt could
 not be completed. In my testing, if you click Continue, then windows
 will:

  a. Check the Validate server certificate
  b. Leave the Connect to these servers (hostname/CN) blank
  c. Check the box next to the CA cert

 That is, windows will trust on first use (TOFU) the *specific* CA for that
 *specific* connection profile (WLAN SSID or Wired profile).

 The text at the link given by the OP is misleading. The issue is not whether
 the CA is a Trusted CA on the machine/user store as a whole. It's whether
 it's trusted for *that specific connection* as a CA for signing the
 authentication server cert.

 I'm unsure whether the OP is clicking Continue at the prompt and it's
 failing, or if he's not clicking Continue or not even being presented with
 the option - but as I say, in my testing, TOFU works.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-27 Thread Phil Mayers

On 27/10/11 13:12, Bonald wrote:

The weird thing is that I didn't see that popup


That is very odd.

I just tried this again; purged the CA from the User  Machine lists, 
deleted the wired 802.1x profile and re-connected. 1st time - no joy 
because the CA is unknown. Import the CA  retry and I get promoted to 
Terminate or Connect. If I click Connect, the 802.1x profile is 
altered to trust the CA.


Maybe you have some windows Group Policy which is preventing you from 
being prompted?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-27 Thread Bonald
Exactly, I have a GPO that's pushing some wireless profiles. When
disabling this GPO I see the popup.

On Thu, Oct 27, 2011 at 9:37 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
 On 27/10/11 13:12, Bonald wrote:

 The weird thing is that I didn't see that popup

 That is very odd.

 I just tried this again; purged the CA from the User  Machine lists,
 deleted the wired 802.1x profile and re-connected. 1st time - no joy because
 the CA is unknown. Import the CA  retry and I get promoted to Terminate
 or Connect. If I click Connect, the 802.1x profile is altered to trust
 the CA.

 Maybe you have some windows Group Policy which is preventing you from being
 prompted?
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-27 Thread Phil Mayers

On 27/10/11 15:18, Bonald wrote:

Exactly, I have a GPO that's pushing some wireless profiles. When
disabling this GPO I see the popup.


Sigh.

I hate windows.

I'm glad you've got it sorted out. If you find time to write some docs 
in the wiki that describe which GPO objects caused what behaviour, it 
might be useful for others in the future.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Phil Mayers

On 26/10/11 13:49, Bonald wrote:


WARNING: !! EAP session for state 0xd4ade9e4d6a8f086 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility


Did you follow the link? Did you read it?

Most likely, you need to ensure your certificate CA is trusted by the 
machine store, as well as the user store(s)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Bonald
Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.

On Wed, Oct 26, 2011 at 10:14 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
 On 26/10/11 13:49, Bonald wrote:

 WARNING: !! EAP session for state 0xd4ade9e4d6a8f086 did not finish!
 WARNING: !! Please read
 http://wiki.freeradius.org/Certificate_Compatibility

 Did you follow the link? Did you read it?

 Most likely, you need to ensure your certificate CA is trusted by the
 machine store, as well as the user store(s)
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Phil Mayers

On 26/10/11 14:24, Bonald wrote:

Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.


Well, I guess it's just broken then. Oh well.

Seriously - it's important to understand that the CLIENT stops 
responding. FreeRADIUS can't do anything more in this case - the client 
has stopped sending EAPOL packets, so the client must think that 
something is wrong.


You will have to debug the client. This is very very painful on Windows; 
it's hard to even find the EAPOL debugging options, let alone interpret 
the results.


Good luck.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Alan DeKok
Phil Mayers wrote:
 Seriously - it's important to understand that the CLIENT stops
 responding. FreeRADIUS can't do anything more in this case - the client
 has stopped sending EAPOL packets, so the client must think that
 something is wrong.

  That's the main issue people have with RADIUS.  The client is in
charge of pretty much everything, and few people understand that.

Q: Why does the client stop talking to the server?
A: Because it doesn't like the response from the server

Q: OK... *what* part of the response doesn't it like?
A: Go ask the client

Q: But I can't!  What do I do?
A: well... we don't know, either.  Go ask Microsoft.

 You will have to debug the client. This is very very painful on Windows;
 it's hard to even find the EAPOL debugging options, let alone interpret
 the results.

  Yes.  Everyone reading this list should understand CLIENT issues cause
you to debug the CLIENT.

  If the server returns the wrong thing... you can fix the server.  Fort
pretty much everything else, blame the client.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: PEAP with Machine auth

2011-10-26 Thread Sallee, Stephen (Jake)
Ok, I have been watching your discourse from afar and I have to say this:

 This kind of QA thing helps no one here! ...

Two things.  Number one, he IS answering your questions.  He is just not GIVING 
you the answer.  Number two, the gentleman in question is quite possibly the 
preeminent FreeRADIUS expert in the world.  When he tells you something about 
FreeRADIUS, you should listen.

Sorry, I am not trying to be too blunt.   But when an expert speaks, you should 
listen.  This is true in any area.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Sergio NNX
Sent: Wednesday, October 26, 2011 8:47 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: PEAP with Machine auth

This kind of QA thing helps no one here! Many people are reporting the same 
issue on different platforms! I don't think the problem is either with the 
client or the certificates since I conducted some testing using the same client 
and the same certificates but an old FR version (1.1.7) and the tests pass. 
It's easier to blame something else but we could spend that time contributing 
to the solution and so helping others!


 Date: Wed, 26 Oct 2011 15:36:19 +0200
 From: al...@deployingradius.commailto:al...@deployingradius.com
 To: 
 freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
 Subject: Re: PEAP with Machine auth

 Phil Mayers wrote:
  Seriously - it's important to understand that the CLIENT stops
  responding. FreeRADIUS can't do anything more in this case - the client
  has stopped sending EAPOL packets, so the client must think that
  something is wrong.

 That's the main issue people have with RADIUS. The client is in
 charge of pretty much everything, and few people understand that.

 Q: Why does the client stop talking to the server?
 A: Because it doesn't like the response from the server

 Q: OK... *what* part of the response doesn't it like?
 A: Go ask the client

 Q: But I can't! What do I do?
 A: well... we don't know, either. Go ask Microsoft.

  You will have to debug the client. This is very very painful on Windows;
  it's hard to even find the EAPOL debugging options, let alone interpret
  the results.

 Yes. Everyone reading this list should understand CLIENT issues cause
 you to debug the CLIENT.

 If the server returns the wrong thing... you can fix the server. Fort
 pretty much everything else, blame the client.

 Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Alan DeKok
Francois Gaudreault wrote:
 Even more weird, we have had the same issue lately with one controller
 model, and not the other.  We were using the same config on the client,
 on the server, and the same certs.

  Ouch.  The whole EAP ecosystem is fragile to the point of insanity.

  There are times when I'm surprised it works at *all*.

 I also tend to blame the client tho, maybe EAP is now more strict on the
 server side?  If you can point us a doc to enable the EAP debug under
 windows, I am sure many people (even myself) would be glad to troubleshoot.

  The server side of EAP has changed a bit... but not much.  Most of the
changes to EAP are really the SSL stuff inside of OpenSSL, which we
don't control.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Francois Gaudreault



Even more weird, we have had the same issue lately with one controller
model, and not the other.  We were using the same config on the client,
on the server, and the same certs.

   Ouch.  The whole EAP ecosystem is fragile to the point of insanity.

   There are times when I'm surprised it works at *all*.
You bet.  It was two controller from the same manufacturer, just 
different model/firmware :S


--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Phil Mayers

On 26/10/11 14:58, Phil Mayers wrote:

On 26/10/11 14:47, Sergio NNX wrote:

This kind of QA thing helps no one here! Many people are reporting the
same issue on different platforms! I don't think the problem is either
with the client or the certificates since I conducted some testing using
the same client and the same certificates but an old FR version (1.1.7)
and the tests pass. It's easier to blame something else but we could
spend that time contributing to the solution and so helping others!


In earnest: What exactly would you like us to do? Be specific. Bear in
mind that no-one is paid to offer help here.

If you can reproduce the problem reliably, then do so. Carefully
document the configs that work under 1.1.7, and fail under 2.1.12,
including the client configuration. Give that information to the list,
and I'm sure if people are interested, they will take a look.

If no-one is interested, you should start investigating the problem
yourself - FreeRADIUS is open source. If you lack the skills locally,
hire a contractor.

I will try to find some time today to test machine auth.



Sorry, this is long.

tl;dr version - under Windows 7, if you import the CA certificate into 
the Trusted Root Certification Authorities hierarchy in the MMC 
Certificates snap-in, Windows 7 user- and machine-auth work just fine 
against an out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.


It works for me.

===


I have just tested machine auth on a Windows 7 client. Everything works 
as I expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and 
default configs, I made two changes:


 1. Edit modules/mschap to enable the ntlm_auth helper like so:

ntlm_auth = ... --username=%{mschap:User-Name} ...

 2. Edit clients.conf to add an entry for the switch

I then started FreeRADIUS, and it auto-generated the certificates. I 
then tried a sequence of things on the Windows client.


First - open the services MMC snap-in, and start (and set to 
auto-start) the Wired autoconfig service


Second - open the network adapter list, right-click on the wired 
adapter, and enable authentication using the default settings (PEAP, 
MSCHAP inner) except that I unchecked use my windows domain login / 
password


I then enabled 802.1x on the port facing the machine.

== 1st auth ==

Failed. Client did the TLS negotiation, and returned the following error 
to FreeRADIUS:


[peap]  TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca

SSL: SSL_read failed inside of TLS (-1), TLS session fails.

This is expected; we haven't yet imported the client cert into the 
certificate store.


== 2nd auth ==

Copy the ca.cer file onto the client, double-click on it, follow the 
prompts using the defaults. This didn't work - the client did not import 
the cert, despite appearing to, so auth again failed.


== 3rd auth ==

Open mmc, add the Certificates snap-in for My user account. In the 
snap-in, expand the Trusted Root Certification Authorities folder, and 
right click on the Certificates child - select All Tasks, 
Import Browse to the cert  import it. You will be prompted saying 
Windows cannot verify ... - click OK.


You should now see the example cert in the list.

Re-start the 802.1x auth (unplug/reconnect).

You will be prompted for a username/password, as before - this time, 
auth will succeed.


== 4th auth ==

Return to the network adapter settings. Right-click, select properties. 
Go to the Authentication tab, select Additional settings, and tick the 
Specify authentication mode box, and select Computer authentication 
from the drop-down.


The machine will re-authenticate and, as expected, fail with a bad CA alert:

[peap]  TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca


== 5th auth ==

Return to the mmc window; add the Certificates snap-in for the 
computer account. Again, expand Trusted Root Certification Authorities 
and right-click on Certificates and select All tasks, Import... 
Browse to the ca.cer and import it.


Re-start authentication. Authentication will work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Phil Mayers

On 26/10/11 16:14, Phil Mayers wrote:


Sorry, this is long.

tl;dr version - under Windows 7, if you import the CA certificate into
the Trusted Root Certification Authorities hierarchy in the MMC
Certificates snap-in, Windows 7 user- and machine-auth work just fine
against an out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.

It works for me.


I've also tested the 802.1x single sign-on functionality in Windows 7. 
Again, with the certs in the appropriate place, this just works. The 
machine authenticates as itself - host/name.domain.com - and when you 
enter your username/password, it de-auths and re-auths as DOM\user

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Bonald
If you are using the default config then your eap.conf must have
 default_eap_type = md5

Try with peap.


On Wed, Oct 26, 2011 at 12:14 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
 On 26/10/11 14:58, Phil Mayers wrote:

 On 26/10/11 14:47, Sergio NNX wrote:

 This kind of QA thing helps no one here! Many people are reporting the
 same issue on different platforms! I don't think the problem is either
 with the client or the certificates since I conducted some testing using
 the same client and the same certificates but an old FR version (1.1.7)
 and the tests pass. It's easier to blame something else but we could
 spend that time contributing to the solution and so helping others!

 In earnest: What exactly would you like us to do? Be specific. Bear in
 mind that no-one is paid to offer help here.

 If you can reproduce the problem reliably, then do so. Carefully
 document the configs that work under 1.1.7, and fail under 2.1.12,
 including the client configuration. Give that information to the list,
 and I'm sure if people are interested, they will take a look.

 If no-one is interested, you should start investigating the problem
 yourself - FreeRADIUS is open source. If you lack the skills locally,
 hire a contractor.

 I will try to find some time today to test machine auth.


 Sorry, this is long.

 tl;dr version - under Windows 7, if you import the CA certificate into the
 Trusted Root Certification Authorities hierarchy in the MMC Certificates
 snap-in, Windows 7 user- and machine-auth work just fine against an
 out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.

 It works for me.

 ===


 I have just tested machine auth on a Windows 7 client. Everything works as I
 expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and default
 configs, I made two changes:

  1. Edit modules/mschap to enable the ntlm_auth helper like so:

 ntlm_auth = ... --username=%{mschap:User-Name} ...

  2. Edit clients.conf to add an entry for the switch

 I then started FreeRADIUS, and it auto-generated the certificates. I then
 tried a sequence of things on the Windows client.

 First - open the services MMC snap-in, and start (and set to auto-start)
 the Wired autoconfig service

 Second - open the network adapter list, right-click on the wired adapter,
 and enable authentication using the default settings (PEAP, MSCHAP inner)
 except that I unchecked use my windows domain login / password

 I then enabled 802.1x on the port facing the machine.

 == 1st auth ==

 Failed. Client did the TLS negotiation, and returned the following error to
 FreeRADIUS:

 [peap]  TLS 1.0 Alert [length 0002], fatal unknown_ca
 TLS Alert read:fatal:unknown CA
    TLS_accept: failed in SSLv3 read client certificate A
 rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
 unknown ca
 SSL: SSL_read failed inside of TLS (-1), TLS session fails.

 This is expected; we haven't yet imported the client cert into the
 certificate store.

 == 2nd auth ==

 Copy the ca.cer file onto the client, double-click on it, follow the
 prompts using the defaults. This didn't work - the client did not import the
 cert, despite appearing to, so auth again failed.

 == 3rd auth ==

 Open mmc, add the Certificates snap-in for My user account. In the
 snap-in, expand the Trusted Root Certification Authorities folder, and
 right click on the Certificates child - select All Tasks, Import
 Browse to the cert  import it. You will be prompted saying Windows cannot
 verify ... - click OK.

 You should now see the example cert in the list.

 Re-start the 802.1x auth (unplug/reconnect).

 You will be prompted for a username/password, as before - this time, auth
 will succeed.

 == 4th auth ==

 Return to the network adapter settings. Right-click, select properties. Go
 to the Authentication tab, select Additional settings, and tick the
 Specify authentication mode box, and select Computer authentication from
 the drop-down.

 The machine will re-authenticate and, as expected, fail with a bad CA alert:

 [peap]  TLS 1.0 Alert [length 0002], fatal unknown_ca
 TLS Alert read:fatal:unknown CA
    TLS_accept: failed in SSLv3 read client certificate A
 rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
 unknown ca

 == 5th auth ==

 Return to the mmc window; add the Certificates snap-in for the computer
 account. Again, expand Trusted Root Certification Authorities and
 right-click on Certificates and select All tasks, Import... Browse to
 the ca.cer and import it.

 Re-start authentication. Authentication will work.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Phil Mayers

On 26/10/11 16:54, Bonald wrote:

If you are using the default config then your eap.conf must have
  default_eap_type = md5


Yes. The client NAKs the EAP-MD5 and asks for PEAP.



Try with peap.


Just to placate you, I have done so. It made no difference, except save 
one round-trip. User- and machine-based auth as well as single signon 
still both work.


The default EAP type is just that - the default. If you have the client 
set up to use PEAP, it will NAK the MD5 and ask for EAP, and the server 
will honour it.


Again: It is important that you understand authentication is driven by 
the CLIENT.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Phil Mayers

On 26/10/11 14:24, Bonald wrote:

Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.


What is the client operating system and version, including service pack?

Are you using the built-in operating system supplicant, or a 3rd-party 
supplicant?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Phil Mayers

On 26/10/11 17:15, Phil Mayers wrote:

On 26/10/11 14:24, Bonald wrote:

Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.


What is the client operating system and version, including service pack?

Are you using the built-in operating system supplicant, or a 3rd-party
supplicant?



Also, if you can (unicast, if you want) show the netsh lan show 
profile output from a command prompt please?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Bonald
Client is Windows7 w/SP1. Using Cisco PEAP it's working. When using
Microsoft PEAP it's failing for machine auth.

I am on WLAN
netsh wlan show profile just shows my SSID

That fixed my problem. I needed to check the correct CA in the
protected PEAP properties.
http://www.letu.edu/it/faq/article/AA-00414/0/What-should-I-do-if-I-get-the-error-message-The-connection-attempt-could-not-be-completed-when-connecting-to-wireless.html

thanks

On Wed, Oct 26, 2011 at 1:59 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
 On 26/10/11 17:15, Phil Mayers wrote:

 On 26/10/11 14:24, Bonald wrote:

 Yes i've read it.
 Yes the certificate is trusted on the machine and the user store.

 It must be something else, using USER auth it's working. MACHINE auth
 is failling.

 What is the client operating system and version, including service pack?

 Are you using the built-in operating system supplicant, or a 3rd-party
 supplicant?


 Also, if you can (unicast, if you want) show the netsh lan show profile
 output from a command prompt please?
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Francois Gaudreault
Correct me if I am wrong, but that should not be needed when you are not 
validating server certificate.


That would mean windows is trying to validate server cert when doing 
machine auth even if the profile says otherwise??


On 11-10-26 2:36 PM, Bonald wrote:

Client is Windows7 w/SP1. Using Cisco PEAP it's working. When using
Microsoft PEAP it's failing for machine auth.

I am on WLAN
netsh wlan show profile just shows my SSID

That fixed my problem. I needed to check the correct CA in the
protected PEAP properties.
http://www.letu.edu/it/faq/article/AA-00414/0/What-should-I-do-if-I-get-the-error-message-The-connection-attempt-could-not-be-completed-when-connecting-to-wireless.html

thanks

On Wed, Oct 26, 2011 at 1:59 PM, Phil Mayersp.may...@imperial.ac.uk  wrote:

On 26/10/11 17:15, Phil Mayers wrote:

On 26/10/11 14:24, Bonald wrote:

Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.

What is the client operating system and version, including service pack?

Are you using the built-in operating system supplicant, or a 3rd-party
supplicant?


Also, if you can (unicast, if you want) show the netsh lan show profile
output from a command prompt please?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PEAP with Machine auth

2011-10-26 Thread Phil Mayers

On 10/26/2011 07:53 PM, Francois Gaudreault wrote:

Correct me if I am wrong, but that should not be needed when you are not
validating server certificate.


There are a few issues; let me try to lay them out.

First: it seems you MUST install the CA on the client (in one or both of 
the user or machine store, depending on whether you're doing user or 
machine-based auth). Authentication will simply fail if you don't 
install the CA - although helpfully Windows does seem to send an 
invalid CA TLS alert.



Second: If (and only if) you install the CA, then when you FIRST connect 
to a network, you will be shown the dialog box The connection attempt 
could not be completed. In my testing, if you click Continue, then 
windows will:


 a. Check the Validate server certificate
 b. Leave the Connect to these servers (hostname/CN) blank
 c. Check the box next to the CA cert

That is, windows will trust on first use (TOFU) the *specific* CA for 
that *specific* connection profile (WLAN SSID or Wired profile).


The text at the link given by the OP is misleading. The issue is not 
whether the CA is a Trusted CA on the machine/user store as a whole. 
It's whether it's trusted for *that specific connection* as a CA for 
signing the authentication server cert.


I'm unsure whether the OP is clicking Continue at the prompt and it's 
failing, or if he's not clicking Continue or not even being presented 
with the option - but as I say, in my testing, TOFU works.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html