I loaded the computer certificate via the MMC Certificates module,
into the Local Machine, Personal store. When there isn't one in
there I get a can't find a certificate error in widows when trying
to connect and it never tries to do EAP. Also, looking at the user
log and the computer log, they both get the "TLS_accept:error in
SSLv3 read client certificate A" at that stage.
Looking at User cert request ID #52 and Computer cert request ID #40
(Where the "SSLv3 read client certificate A" error occurs) they are
pretty much identical. The next messages in the sequence (#53/#41)
are also almost identical (the freeradius reply is identical right down
to the EAP-Message blobs in the response). The message after that
is where things appear to go wrong, in User #54, a ton of EAP data
comes in from the client, the client cert details show up, and
authentication seems to be wrapping up; but in Computer #42 barely
anything appears in the EAP blobs and the process appears to start
cycling over again.
Thanks
-- Mike Olson
[EMAIL PROTECTED] wrote:
machine: TLS_accept:error in SSLv3 read client certificate A
user: (other): SSL negotiation finished successfully
There doesn't seem to be a machine certificate in the certificate store.
Ivan Kalik
Kalik Informatika ISP
Dana 18/1/2008, "Michael Olson" <[EMAIL PROTECTED]> piše:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine
authentication. I set up FreeRADIUS following the guide at
http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using
OpenSSL to generate the cetificates.
I can authenticate using user certificates fine, so I'm pretty sure all the
Certificates & CA setup is right on the RADIUS server certificate, User
certificate, and the Root Certificate. That leaves the Computer Certificate.
I generated the computer certificate to have the common name be the machine
name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName
field as well. It has the same usage extensions as the User certificates.
(TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to
Computer Only (2), and it trys to authenticate which suggests that the
workstation is okay with the certificate.
Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt
Other than that I can't think of where to look for a problem. Comparing logs
between user and computer authentication I can see where it starts differing
but I can't find anything I can interpret as to why. Nothing seems to fail for
the computer, it just cycles endlessly.
Successful User Authentication Log:
http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
Failed Computer Authentication Log:
http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
I also tossed out the windows tracing logs for both user and computer auth
and anything else that seemed useful in
http://www.cs.odu.edu/~olson/eap/
Can anybody give me a pointer on where to look for problems?
Thanks
-- Mike Olson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
