Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
This incorrect password issue was solved once the proper server certificate was used by FreeRADIUS' EAP.conf file. Thanks for all you help! Marc Solution to get correct cert to work with Windows XP SP2 supplicant: 1) From Linux box: openssl genrsa -des3 -out server1.key 2048 You will be prompted for password, this server1.key and the password assigned are used in eap.conf file. openssl req -new -key server1.key -out server1.csr 2) Get server1.csr to a Windows workstation that will reach the Microsoft 2003 CA. Easiest way might be to use FTP. The URL to our CA is: http://10.10.10.10/certsrv 3) On Web access to CA: - click Request a Certificate - click Advanced certificate request - click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. - click Browse for a file to insert. and browse to ohisles1.csr then click READ button. - select Web Server for certificate template and click Submit - keep DER encoded selected then click Download certificate, save file as server1.cer 4) Get this file server1.cer back to Linux server with FTP 5) Issue OpenSSL command openssl x509 -inform DER -in ohisles1.cer -out ohisles1.pem - update eap.conf to point to this server certificate. 6) Use same OPENSSL command on the CER file of the root certificate from the Microsoft CA to convert it to PEM format. Use this root certificate, we named it root.pem and point to it in the eap.conf 7) FreeRADISU with: RADIUSD -X 8) Windows XP supplicant should work fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi Marc, are you aware of PEAP authentication is not successful when you connect to a third-party RADIUS server http://support.microsoft.com/kb/885453 Maybe it is somehow related? Other updates I installed on XP SP2 for WLAN 802.1x and PEAP/EAP-TLS are Hotfix 917021 (Wireless Client Update) http://support.microsoft.com/kb/917021 Hotfix 893357 (WPA2 Update) http://support.microsoft.com/kb/893357 Marc Charbonneau wrote: Ok, I minted the Certificates/Keys with a CA running on a Windows 2003 server and was able to get them into the PEM format. The EAP.CONF was modified accordingly and RADIUSD is happy. I am still able to authenticate with no problems with 802.1x PEAP (EAP-MSCHAP V2) when using Cisco's ADU configuration tool. Still have problems when using the Windows XP supplicant. In trying to authenticate with the Windows XP supplicant, I can see from the logs that it's changing the password's 1st character to an a. If you look at the log data below, you'll see that the user account UOHI-40615 being used to authenticate is failing because the password sent is aassword2 instead of password2. Are you typing your username/password on demand or has XP earlier stored it magically and is reusing this? If the latter, have you once typed the wrong password and XP is remembering the wrong password? Does anyone know how to fix this problem? I'm so close, please help me find the needle in the haystack. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi. [EMAIL PROTECTED] wrote: either use your current tool but include the XP extensions as required, Just to be precise. The named extensions are PKIX extensions for serverAuth (OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID 1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant). Also if a client certificate is used on Windows with EAP-TLS the extendedKeyUsage Microsoft SmartCard Logon (OID 1.3.6.1.4.1.311.20.2.2) *must not* be present because Windows won't be able to use/choose such a client certificate to authenticate at the RADIUS server. It is only Windows that is looking at these extededKeyUsages in the certificate and expecting the correct extensions here. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi, it looks like I used a certificate with the wrong OID. I used a cert minted with their SubCA template which doesn't have the (OID 1.3.6.1.5.5.7.3.1). In playing with the Microsoft CA on Windows 2003 server, I've found that the Certificate made using the Web Server template is the one required. Unfortunately, this particular template doesn't allow the Certificate's keys to be exported. I tried creating a new Certificate template by copying from the one called Web Server and now, I have a new Web Server template with the ability to export it's keys. The problem is I can't seem to make use of this new template within their CA. I know this is a Microsoft issue but I've looked high and low in their docs and when you go to their CA and try to select Certificate Template to Issue, the new template created are not available. I'm a little obsessed with making this work so I'm hoping someone here a quick answer to making Microsoft's CA allow me to mint a Web Server certificate with exportable keys. Thanks for any future and previous help, Marc [EMAIL PROTECTED] 4/27/2007 4:11:58 AM Hi. [EMAIL PROTECTED] wrote: either use your current tool but include the XP extensions as required, Just to be precise. The named extensions are PKIX extensions for serverAuth (OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID 1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant). Also if a client certificate is used on Windows with EAP-TLS the extendedKeyUsage Microsoft SmartCard Logon (OID 1.3.6.1.4.1.311.20.2.2) *must not* be present because Windows won't be able to use/choose such a client certificate to authenticate at the RADIUS server. It is only Windows that is looking at these extededKeyUsages in the certificate and expecting the correct extensions here. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
hi, rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select okay. so thats the main issue. were your certificates generated with the XP extensions? how have you configured the native supplicant? it doesnt need much configuring just disable fast-connect, disable user guest account, use machine auth (if you're not doing machine) and click the MSCHPv2 stuff and deselect the 'use windows username/password' if you cannot use those. then its up to you to ensure the cert is in the store and you verify or dont verify your radius cert. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Ok, that's what I thought (about the root Certificate not being pleasing to XP). FYI: I'm using a version of Linux by Novell called SLES (SUSE Linux Enterprise Server) version 9 Service Pack 3 and the FreeRADIUS is from Novell's Web site (freeradius-1.0.2-0.i586.rpm, freeradius-devel-1.0.2-0.i586.rpm). I've done my Certificate work by using SLES' YaST, Security and Users, CA Management. I simply exported the root cert using this CA Management GUI. This worked great with Cisco's ADU configuration tool. If someone could give me the quickest and easiest way to creating a root certificate that's works with Windows XP, that would be great. I have another CA running on a Windows 2003 server, can I make use of this CA somehow? Thanks for any help. Marc [EMAIL PROTECTED] 4/25/2007 1:33:00 PM hi, rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select okay. so thats the main issue. were your certificates generated with the XP extensions? how have you configured the native supplicant? it doesnt need much configuring just disable fast-connect, disable user guest account, use machine auth (if you're not doing machine) and click the MSCHPv2 stuff and deselect the 'use windows username/password' if you cannot use those. then its up to you to ensure the cert is in the store and you verify or dont verify your radius cert. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi, If someone could give me the quickest and easiest way to creating a root certificate that's works with Windows XP, that would be great. either use your current tool but include the XP extensions as required, or use the 1.1.6 FreeRADIUS source code - to simply use the script in that to generate such certs OR use the CVS version of FreeRADIUS which has a nice new certificate generation tool which will configure the eap.conf for you and create nice shiny certs for use! ;-) I have another CA running on a Windows 2003 server, can I make use of this CA somehow? yes. that will generate the right type! use the EAP-TLS HOWTO document thats widely linked on may freeradius help locations. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
