Well this was an embarrassing sort of problem.
The CA certificate was in the Users Trusted Root store, once I moved it
to the Machine Trusted Root store all was well.
For anyone else ever hunting down this problem, the Windows RASTLS.log
error messages I got were:
[4968] 21:57:59:046: SecurityContextFunction
[4968] 21:57:59:062: InitializeSecurityContext returned 0x80090325
[4968] 21:57:59:062: State change to RecdFinished. Error: 0x321
In freeradius it seemed like the login process just cycled forever,
getting to the last message and the client just gave up.
In the Windows "Wireless Network Connection" dialog box it hung in
attempting to verify and never moved on.
Thanks all for enduring my duh moment with me.
v/r
-- Mike Olson
Michael Olson wrote:
I tried upgrading to 2.0.0, very close to a stock default config and
I'm getting the same symptoms, user works, computer doesn't. Makes me
even more suspicious of my certificates. I updated the files listed
below to new logs generated from 2.0.0.
I saw the note to in certs/xpextensions to add 1.3.6.1.4.1.311.17.2 to
the PKCS#12 file attribute bag. I hacked up OpenSSL a bit to get that
to work and I posted the output from an openssl pkcs12 dump to
http://www.cs.odu.edu/~olson/eap/computer.p12.txt , unfortunately
that didn't seem to help.
I'm pretty much dead on ideas at this point, besides Ivan Kaliks
suggestion that I look into the $ appended to the machine name. (Which
I'm pursuing next.)
Thanks
-- Mike Olson
Michael Olson wrote:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using
machine
authentication. I set up FreeRADIUS following the guide at
http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and
I'm using
OpenSSL to generate the cetificates.
I can authenticate using user certificates fine, so I'm pretty sure
all the Certificates & CA setup is right on the RADIUS server
certificate, User certificate, and the Root Certificate. That leaves
the Computer Certificate.
I generated the computer certificate to have the common name be the
machine
name (I've tried it plain and FQDN) and I've put the FQDN is the
altSubjectName
field as well. It has the same usage extensions as the User
certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the
AuthMode registry key to Computer Only (2), and it trys to
authenticate which suggests that the workstation is okay with the
certificate.
Computer Certificate details:
http://www.cs.odu.edu/~olson/eap/computer.crt.txt
Other than that I can't think of where to look for a problem.
Comparing logs between user and computer authentication I can see
where it starts differing
but I can't find anything I can interpret as to why. Nothing seems to
fail for
the computer, it just cycles endlessly.
Successful User Authentication Log:
http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
Failed Computer Authentication Log:
http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
I also tossed out the windows tracing logs for both user and computer
auth
and anything else that seemed useful in
http://www.cs.odu.edu/~olson/eap/
Can anybody give me a pointer on where to look for problems?
Thanks
-- Mike Olson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
