Re: PEAP with Machine auth
The weird thing is that I didn't see that popup On Wed, Oct 26, 2011 at 5:07 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 10/26/2011 07:53 PM, Francois Gaudreault wrote: Correct me if I am wrong, but that should not be needed when you are not validating server certificate. There are a few issues; let me try to lay them out. First: it seems you MUST install the CA on the client (in one or both of the user or machine store, depending on whether you're doing user or machine-based auth). Authentication will simply fail if you don't install the CA - although helpfully Windows does seem to send an invalid CA TLS alert. Second: If (and only if) you install the CA, then when you FIRST connect to a network, you will be shown the dialog box The connection attempt could not be completed. In my testing, if you click Continue, then windows will: a. Check the Validate server certificate b. Leave the Connect to these servers (hostname/CN) blank c. Check the box next to the CA cert That is, windows will trust on first use (TOFU) the *specific* CA for that *specific* connection profile (WLAN SSID or Wired profile). The text at the link given by the OP is misleading. The issue is not whether the CA is a Trusted CA on the machine/user store as a whole. It's whether it's trusted for *that specific connection* as a CA for signing the authentication server cert. I'm unsure whether the OP is clicking Continue at the prompt and it's failing, or if he's not clicking Continue or not even being presented with the option - but as I say, in my testing, TOFU works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 27/10/11 13:12, Bonald wrote: The weird thing is that I didn't see that popup That is very odd. I just tried this again; purged the CA from the User Machine lists, deleted the wired 802.1x profile and re-connected. 1st time - no joy because the CA is unknown. Import the CA retry and I get promoted to Terminate or Connect. If I click Connect, the 802.1x profile is altered to trust the CA. Maybe you have some windows Group Policy which is preventing you from being prompted? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
Exactly, I have a GPO that's pushing some wireless profiles. When disabling this GPO I see the popup. On Thu, Oct 27, 2011 at 9:37 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 27/10/11 13:12, Bonald wrote: The weird thing is that I didn't see that popup That is very odd. I just tried this again; purged the CA from the User Machine lists, deleted the wired 802.1x profile and re-connected. 1st time - no joy because the CA is unknown. Import the CA retry and I get promoted to Terminate or Connect. If I click Connect, the 802.1x profile is altered to trust the CA. Maybe you have some windows Group Policy which is preventing you from being prompted? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 27/10/11 15:18, Bonald wrote: Exactly, I have a GPO that's pushing some wireless profiles. When disabling this GPO I see the popup. Sigh. I hate windows. I'm glad you've got it sorted out. If you find time to write some docs in the wiki that describe which GPO objects caused what behaviour, it might be useful for others in the future. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 26/10/11 13:49, Bonald wrote: WARNING: !! EAP session for state 0xd4ade9e4d6a8f086 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Did you follow the link? Did you read it? Most likely, you need to ensure your certificate CA is trusted by the machine store, as well as the user store(s) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
Yes i've read it. Yes the certificate is trusted on the machine and the user store. It must be something else, using USER auth it's working. MACHINE auth is failling. On Wed, Oct 26, 2011 at 10:14 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 26/10/11 13:49, Bonald wrote: WARNING: !! EAP session for state 0xd4ade9e4d6a8f086 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Did you follow the link? Did you read it? Most likely, you need to ensure your certificate CA is trusted by the machine store, as well as the user store(s) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 26/10/11 14:24, Bonald wrote: Yes i've read it. Yes the certificate is trusted on the machine and the user store. It must be something else, using USER auth it's working. MACHINE auth is failling. Well, I guess it's just broken then. Oh well. Seriously - it's important to understand that the CLIENT stops responding. FreeRADIUS can't do anything more in this case - the client has stopped sending EAPOL packets, so the client must think that something is wrong. You will have to debug the client. This is very very painful on Windows; it's hard to even find the EAPOL debugging options, let alone interpret the results. Good luck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
Phil Mayers wrote: Seriously - it's important to understand that the CLIENT stops responding. FreeRADIUS can't do anything more in this case - the client has stopped sending EAPOL packets, so the client must think that something is wrong. That's the main issue people have with RADIUS. The client is in charge of pretty much everything, and few people understand that. Q: Why does the client stop talking to the server? A: Because it doesn't like the response from the server Q: OK... *what* part of the response doesn't it like? A: Go ask the client Q: But I can't! What do I do? A: well... we don't know, either. Go ask Microsoft. You will have to debug the client. This is very very painful on Windows; it's hard to even find the EAPOL debugging options, let alone interpret the results. Yes. Everyone reading this list should understand CLIENT issues cause you to debug the CLIENT. If the server returns the wrong thing... you can fix the server. Fort pretty much everything else, blame the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP with Machine auth
Ok, I have been watching your discourse from afar and I have to say this: This kind of QA thing helps no one here! ... Two things. Number one, he IS answering your questions. He is just not GIVING you the answer. Number two, the gentleman in question is quite possibly the preeminent FreeRADIUS expert in the world. When he tells you something about FreeRADIUS, you should listen. Sorry, I am not trying to be too blunt. But when an expert speaks, you should listen. This is true in any area. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Sergio NNX Sent: Wednesday, October 26, 2011 8:47 AM To: freeradius-users@lists.freeradius.org Subject: RE: PEAP with Machine auth This kind of QA thing helps no one here! Many people are reporting the same issue on different platforms! I don't think the problem is either with the client or the certificates since I conducted some testing using the same client and the same certificates but an old FR version (1.1.7) and the tests pass. It's easier to blame something else but we could spend that time contributing to the solution and so helping others! Date: Wed, 26 Oct 2011 15:36:19 +0200 From: al...@deployingradius.commailto:al...@deployingradius.com To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: PEAP with Machine auth Phil Mayers wrote: Seriously - it's important to understand that the CLIENT stops responding. FreeRADIUS can't do anything more in this case - the client has stopped sending EAPOL packets, so the client must think that something is wrong. That's the main issue people have with RADIUS. The client is in charge of pretty much everything, and few people understand that. Q: Why does the client stop talking to the server? A: Because it doesn't like the response from the server Q: OK... *what* part of the response doesn't it like? A: Go ask the client Q: But I can't! What do I do? A: well... we don't know, either. Go ask Microsoft. You will have to debug the client. This is very very painful on Windows; it's hard to even find the EAPOL debugging options, let alone interpret the results. Yes. Everyone reading this list should understand CLIENT issues cause you to debug the CLIENT. If the server returns the wrong thing... you can fix the server. Fort pretty much everything else, blame the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
Francois Gaudreault wrote: Even more weird, we have had the same issue lately with one controller model, and not the other. We were using the same config on the client, on the server, and the same certs. Ouch. The whole EAP ecosystem is fragile to the point of insanity. There are times when I'm surprised it works at *all*. I also tend to blame the client tho, maybe EAP is now more strict on the server side? If you can point us a doc to enable the EAP debug under windows, I am sure many people (even myself) would be glad to troubleshoot. The server side of EAP has changed a bit... but not much. Most of the changes to EAP are really the SSL stuff inside of OpenSSL, which we don't control. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
Even more weird, we have had the same issue lately with one controller model, and not the other. We were using the same config on the client, on the server, and the same certs. Ouch. The whole EAP ecosystem is fragile to the point of insanity. There are times when I'm surprised it works at *all*. You bet. It was two controller from the same manufacturer, just different model/firmware :S -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 26/10/11 14:58, Phil Mayers wrote:
On 26/10/11 14:47, Sergio NNX wrote:
This kind of QA thing helps no one here! Many people are reporting the
same issue on different platforms! I don't think the problem is either
with the client or the certificates since I conducted some testing using
the same client and the same certificates but an old FR version (1.1.7)
and the tests pass. It's easier to blame something else but we could
spend that time contributing to the solution and so helping others!
In earnest: What exactly would you like us to do? Be specific. Bear in
mind that no-one is paid to offer help here.
If you can reproduce the problem reliably, then do so. Carefully
document the configs that work under 1.1.7, and fail under 2.1.12,
including the client configuration. Give that information to the list,
and I'm sure if people are interested, they will take a look.
If no-one is interested, you should start investigating the problem
yourself - FreeRADIUS is open source. If you lack the skills locally,
hire a contractor.
I will try to find some time today to test machine auth.
Sorry, this is long.
tl;dr version - under Windows 7, if you import the CA certificate into
the Trusted Root Certification Authorities hierarchy in the MMC
Certificates snap-in, Windows 7 user- and machine-auth work just fine
against an out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.
It works for me.
===
I have just tested machine auth on a Windows 7 client. Everything works
as I expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and
default configs, I made two changes:
1. Edit modules/mschap to enable the ntlm_auth helper like so:
ntlm_auth = ... --username=%{mschap:User-Name} ...
2. Edit clients.conf to add an entry for the switch
I then started FreeRADIUS, and it auto-generated the certificates. I
then tried a sequence of things on the Windows client.
First - open the services MMC snap-in, and start (and set to
auto-start) the Wired autoconfig service
Second - open the network adapter list, right-click on the wired
adapter, and enable authentication using the default settings (PEAP,
MSCHAP inner) except that I unchecked use my windows domain login /
password
I then enabled 802.1x on the port facing the machine.
== 1st auth ==
Failed. Client did the TLS negotiation, and returned the following error
to FreeRADIUS:
[peap] TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
This is expected; we haven't yet imported the client cert into the
certificate store.
== 2nd auth ==
Copy the ca.cer file onto the client, double-click on it, follow the
prompts using the defaults. This didn't work - the client did not import
the cert, despite appearing to, so auth again failed.
== 3rd auth ==
Open mmc, add the Certificates snap-in for My user account. In the
snap-in, expand the Trusted Root Certification Authorities folder, and
right click on the Certificates child - select All Tasks,
Import Browse to the cert import it. You will be prompted saying
Windows cannot verify ... - click OK.
You should now see the example cert in the list.
Re-start the 802.1x auth (unplug/reconnect).
You will be prompted for a username/password, as before - this time,
auth will succeed.
== 4th auth ==
Return to the network adapter settings. Right-click, select properties.
Go to the Authentication tab, select Additional settings, and tick the
Specify authentication mode box, and select Computer authentication
from the drop-down.
The machine will re-authenticate and, as expected, fail with a bad CA alert:
[peap] TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
== 5th auth ==
Return to the mmc window; add the Certificates snap-in for the
computer account. Again, expand Trusted Root Certification Authorities
and right-click on Certificates and select All tasks, Import...
Browse to the ca.cer and import it.
Re-start authentication. Authentication will work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 26/10/11 16:14, Phil Mayers wrote: Sorry, this is long. tl;dr version - under Windows 7, if you import the CA certificate into the Trusted Root Certification Authorities hierarchy in the MMC Certificates snap-in, Windows 7 user- and machine-auth work just fine against an out-of-the-box FreeRADIUS 2.1.12 with only two minor changes. It works for me. I've also tested the 802.1x single sign-on functionality in Windows 7. Again, with the certs in the appropriate place, this just works. The machine authenticates as itself - host/name.domain.com - and when you enter your username/password, it de-auths and re-auths as DOM\user - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
If you are using the default config then your eap.conf must have
default_eap_type = md5
Try with peap.
On Wed, Oct 26, 2011 at 12:14 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 26/10/11 14:58, Phil Mayers wrote:
On 26/10/11 14:47, Sergio NNX wrote:
This kind of QA thing helps no one here! Many people are reporting the
same issue on different platforms! I don't think the problem is either
with the client or the certificates since I conducted some testing using
the same client and the same certificates but an old FR version (1.1.7)
and the tests pass. It's easier to blame something else but we could
spend that time contributing to the solution and so helping others!
In earnest: What exactly would you like us to do? Be specific. Bear in
mind that no-one is paid to offer help here.
If you can reproduce the problem reliably, then do so. Carefully
document the configs that work under 1.1.7, and fail under 2.1.12,
including the client configuration. Give that information to the list,
and I'm sure if people are interested, they will take a look.
If no-one is interested, you should start investigating the problem
yourself - FreeRADIUS is open source. If you lack the skills locally,
hire a contractor.
I will try to find some time today to test machine auth.
Sorry, this is long.
tl;dr version - under Windows 7, if you import the CA certificate into the
Trusted Root Certification Authorities hierarchy in the MMC Certificates
snap-in, Windows 7 user- and machine-auth work just fine against an
out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.
It works for me.
===
I have just tested machine auth on a Windows 7 client. Everything works as I
expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and default
configs, I made two changes:
1. Edit modules/mschap to enable the ntlm_auth helper like so:
ntlm_auth = ... --username=%{mschap:User-Name} ...
2. Edit clients.conf to add an entry for the switch
I then started FreeRADIUS, and it auto-generated the certificates. I then
tried a sequence of things on the Windows client.
First - open the services MMC snap-in, and start (and set to auto-start)
the Wired autoconfig service
Second - open the network adapter list, right-click on the wired adapter,
and enable authentication using the default settings (PEAP, MSCHAP inner)
except that I unchecked use my windows domain login / password
I then enabled 802.1x on the port facing the machine.
== 1st auth ==
Failed. Client did the TLS negotiation, and returned the following error to
FreeRADIUS:
[peap] TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
This is expected; we haven't yet imported the client cert into the
certificate store.
== 2nd auth ==
Copy the ca.cer file onto the client, double-click on it, follow the
prompts using the defaults. This didn't work - the client did not import the
cert, despite appearing to, so auth again failed.
== 3rd auth ==
Open mmc, add the Certificates snap-in for My user account. In the
snap-in, expand the Trusted Root Certification Authorities folder, and
right click on the Certificates child - select All Tasks, Import
Browse to the cert import it. You will be prompted saying Windows cannot
verify ... - click OK.
You should now see the example cert in the list.
Re-start the 802.1x auth (unplug/reconnect).
You will be prompted for a username/password, as before - this time, auth
will succeed.
== 4th auth ==
Return to the network adapter settings. Right-click, select properties. Go
to the Authentication tab, select Additional settings, and tick the
Specify authentication mode box, and select Computer authentication from
the drop-down.
The machine will re-authenticate and, as expected, fail with a bad CA alert:
[peap] TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
== 5th auth ==
Return to the mmc window; add the Certificates snap-in for the computer
account. Again, expand Trusted Root Certification Authorities and
right-click on Certificates and select All tasks, Import... Browse to
the ca.cer and import it.
Re-start authentication. Authentication will work.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 26/10/11 16:54, Bonald wrote: If you are using the default config then your eap.conf must have default_eap_type = md5 Yes. The client NAKs the EAP-MD5 and asks for PEAP. Try with peap. Just to placate you, I have done so. It made no difference, except save one round-trip. User- and machine-based auth as well as single signon still both work. The default EAP type is just that - the default. If you have the client set up to use PEAP, it will NAK the MD5 and ask for EAP, and the server will honour it. Again: It is important that you understand authentication is driven by the CLIENT. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 26/10/11 14:24, Bonald wrote: Yes i've read it. Yes the certificate is trusted on the machine and the user store. It must be something else, using USER auth it's working. MACHINE auth is failling. What is the client operating system and version, including service pack? Are you using the built-in operating system supplicant, or a 3rd-party supplicant? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 26/10/11 17:15, Phil Mayers wrote: On 26/10/11 14:24, Bonald wrote: Yes i've read it. Yes the certificate is trusted on the machine and the user store. It must be something else, using USER auth it's working. MACHINE auth is failling. What is the client operating system and version, including service pack? Are you using the built-in operating system supplicant, or a 3rd-party supplicant? Also, if you can (unicast, if you want) show the netsh lan show profile output from a command prompt please? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
Client is Windows7 w/SP1. Using Cisco PEAP it's working. When using Microsoft PEAP it's failing for machine auth. I am on WLAN netsh wlan show profile just shows my SSID That fixed my problem. I needed to check the correct CA in the protected PEAP properties. http://www.letu.edu/it/faq/article/AA-00414/0/What-should-I-do-if-I-get-the-error-message-The-connection-attempt-could-not-be-completed-when-connecting-to-wireless.html thanks On Wed, Oct 26, 2011 at 1:59 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 26/10/11 17:15, Phil Mayers wrote: On 26/10/11 14:24, Bonald wrote: Yes i've read it. Yes the certificate is trusted on the machine and the user store. It must be something else, using USER auth it's working. MACHINE auth is failling. What is the client operating system and version, including service pack? Are you using the built-in operating system supplicant, or a 3rd-party supplicant? Also, if you can (unicast, if you want) show the netsh lan show profile output from a command prompt please? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
Correct me if I am wrong, but that should not be needed when you are not validating server certificate. That would mean windows is trying to validate server cert when doing machine auth even if the profile says otherwise?? On 11-10-26 2:36 PM, Bonald wrote: Client is Windows7 w/SP1. Using Cisco PEAP it's working. When using Microsoft PEAP it's failing for machine auth. I am on WLAN netsh wlan show profile just shows my SSID That fixed my problem. I needed to check the correct CA in the protected PEAP properties. http://www.letu.edu/it/faq/article/AA-00414/0/What-should-I-do-if-I-get-the-error-message-The-connection-attempt-could-not-be-completed-when-connecting-to-wireless.html thanks On Wed, Oct 26, 2011 at 1:59 PM, Phil Mayersp.may...@imperial.ac.uk wrote: On 26/10/11 17:15, Phil Mayers wrote: On 26/10/11 14:24, Bonald wrote: Yes i've read it. Yes the certificate is trusted on the machine and the user store. It must be something else, using USER auth it's working. MACHINE auth is failling. What is the client operating system and version, including service pack? Are you using the built-in operating system supplicant, or a 3rd-party supplicant? Also, if you can (unicast, if you want) show the netsh lan show profile output from a command prompt please? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Machine auth
On 10/26/2011 07:53 PM, Francois Gaudreault wrote: Correct me if I am wrong, but that should not be needed when you are not validating server certificate. There are a few issues; let me try to lay them out. First: it seems you MUST install the CA on the client (in one or both of the user or machine store, depending on whether you're doing user or machine-based auth). Authentication will simply fail if you don't install the CA - although helpfully Windows does seem to send an invalid CA TLS alert. Second: If (and only if) you install the CA, then when you FIRST connect to a network, you will be shown the dialog box The connection attempt could not be completed. In my testing, if you click Continue, then windows will: a. Check the Validate server certificate b. Leave the Connect to these servers (hostname/CN) blank c. Check the box next to the CA cert That is, windows will trust on first use (TOFU) the *specific* CA for that *specific* connection profile (WLAN SSID or Wired profile). The text at the link given by the OP is misleading. The issue is not whether the CA is a Trusted CA on the machine/user store as a whole. It's whether it's trusted for *that specific connection* as a CA for signing the authentication server cert. I'm unsure whether the OP is clicking Continue at the prompt and it's failing, or if he's not clicking Continue or not even being presented with the option - but as I say, in my testing, TOFU works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
