It's worth ensuring that you have loaded the private key component of the certificate.
Depending on how you generated the cert, you might only have the public key which is utterly useless for machine auth. In the cert file you loaded into MMC, check that there are two parts - private and public. Also, if you didn't have to type in a password to load the machine cert, there is a pretty good chance that you are missing the private key component. We are using freeradius 1.0.0-pre3 successfuly with EAP TLS. I can't say it was easy, but we muddled through it and it all seems to work now. Cheers, Ben On Wed, 21 Jul 2004 15:31:58 -0400 (EDT), Joe Meslovich <[EMAIL PROTECTED]> wrote: > > > I just wanted to add some information to this message. I turned on EAPOL > file tracing in the registery. When I look at the trace log that is > created on the client and error is occuring when the client should be > generating the response that contains its credentials. The error code in > the EAPOL log is -2146893802. From what I've seen that error code has to > do with not finding a keyset pair. > > When doing machine authentication do the certificates need to be installed > in a special manner? When I go into mmc I see the certificates that I > installed in the local computer store. > > Joe Meslovich > > > > > On Wed, 21 Jul 2004, Joe Meslovich wrote: > > > > > I am trying to get machine authentication working using freeradius and a > > Windows XP SP1 client. I originally tried to make this work with > > freeradius 0.9.3, but then moved to 1.0.0pre3 in hopes of making it work. > > > > Here is what I see when I sniff the traffic between the client and the AP > > using ethereal. > > > > Client AP > > ------ ---- > > EAPOL Start ---> > > > > <--- Request, Identity > > > > Response, Identity ---> > > > > <--- Request, EAP-TLS > > > > > > And that is it. The client never responds to the Request, EAP-TLS. Below > > is the contents of that last packet from the AP to the client: > > > > 802.1x Authentication > > Version: 1 > > Type: EAP Packet (0) > > Length: 6 > > Extensible Authentication Protocol > > Code: Request (1) > > Id: 17 > > Length: 6 > > Type: EAP-TLS [RFC2716] [Adoba] (13) > > Flags (0x20): Start > > > > On the server side I see the following > > > > rad_recv: Access-Request packet from host 147.138.120.170:6001, id=73, > > length=173 > > User-Name = "host/testwire.bridgewater.edu" > > NAS-IP-Address = 147.138.120.170 > > Called-Station-Id = "00-20-a6-52-b4-6c" > > Calling-Station-Id = "00-90-4b-7d-d5-47" > > NAS-Identifier = "WritingWAP" > > Framed-MTU = 1400 > > NAS-Port-Type = Wireless-802.11 > > EAP-Message = > > 0x0212002201686f73742f74657374776972652e62726964676577617465722e656475 > > Message-Authenticator = 0x3a892a05d25aa847b9be3c33cd9a7b4a > > Invalid operator for item Prefix: reverting to '==' > > Sending Access-Challenge of id 73 to 147.138.120.170:6001 > > Framed-IP-Address = 255.255.255.254 > > Framed-MTU = 576 > > Service-Type = Framed-User > > EAP-Message = 0x011300060d20 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = 0xc3ff0ce5bfdff596d099ec32ec73aece > > > > > > I am not sure why the XP client never responds to the Request, EAP-TLS > > packet. On the XP client I have it set to do machine authentication. In > > the registry I set the AuthMode value to 2 and SupplicantMode to 3. Before > > I set AuthMode I received errors about not being able to find a > > certificate to use. Setting SupplicantMode to 3 did not change the > > behavior. I have a certificate with a CN of testwire.bridgewater.edu in > > the personal store of the local computer account. > > > > I just don't understand what is happening and any help would be greatly > > appreciated. > > > > > > ---------------------------------------------------------------------------- > > Joe Meslovich [EMAIL PROTECTED] > > Associate Network/Systems Engineer IT Center > > Tel: (540) 828 - 5343 > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > ---------------------------------------------------------------------------- > Joe Meslovich [EMAIL PROTECTED] > Associate Network/Systems Engineer IT Center > Tel: (540) 828 - 5343 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
