Discussion:
RADIUS wifi not working on Windows with domain users
Forster Arnaud
2018-04-09 13:32:01 UTC
Permalink
Hello all,
I've a problem in a school with computers connected to the school domain
(I'm using samba). For private computers, there's no worry ; they are
asked to enter a username/password to connect to the wifi and this works
fine. But for laptops belonging to the domain, when I try to connect, no
username/password is requested and the connection just fail.
It seems this is a windows problem but I wonder If I can don something
from the freeradius side ...
thanks to all for your help
--
Meilleures salutations – Freundliche Grüsse – Best regards

MW*PROGRAMMATION*SA

*Arnaud Forster*
/Ingénieur systèmes//
//Rue Charles Schäublin 2/
/CH-2735 Malleray/
/phone: +41 (0)32 491 65 30/
/fax: +41 (0)32 491 65 35/

/web: www.mwprog.ch <http://www.mwprog.ch/>/
/kb: kb.mwprog.ch <http://kb.mwprog.ch/>/


-
List info/subscribe/unsubscribe?
Alan DeKok
2018-04-09 14:23:09 UTC
Permalink
I've a problem in a school with computers connected to the school domain (I'm using samba). For private computers, there's no worry ; they are asked to enter a username/password to connect to the wifi and this works fine. But for laptops belonging to the domain, when I try to connect, no username/password is requested and the connection just fail.
The laptops have a machine account which is created in AD, and provisioned by AD to the laptops. They should be using this to connect to WiFi.
It seems this is a windows problem but I wonder If I can don something from the freeradius side ...
Read the debug output to see what happens when the laptop connects.

Alan DeKok.



-
List info/subscribe/unsubscr
Arnaud Forster
2018-04-10 08:34:56 UTC
Permalink
Hello Alan,

Thanks for your answer. So I checked the log and the only thing I've
when a computer belonging to the domain tries to connect is the following :

Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional
connection (24), 1 of 29 pending slots used
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert
read:fatal:unknown CA
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept:
Failed in SSLv3 read client key exchange A
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in
__FUNCTION__ (SSL_read)

So I tried to install the ca.der key on the windows client system but
the error remains

Thanks for your help

Arnaud
Post by Alan DeKok
I've a problem in a school with computers connected to the school domain (I'm using samba). For private computers, there's no worry ; they are asked to enter a username/password to connect to the wifi and this works fine. But for laptops belonging to the domain, when I try to connect, no username/password is requested and the connection just fail.
The laptops have a machine account which is created in AD, and provisioned by AD to the laptops. They should be using this to connect to WiFi.
It seems this is a windows problem but I wonder If I can don something from the freeradius side ...
Read the debug output to see what happens when the laptop connects.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://
Arran Cudbard-Bell
2018-04-10 08:36:08 UTC
Permalink
Post by Arnaud Forster
Hello Alan,
Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional connection (24), 1 of 29 pending slots used
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
So I tried to install the ca.der key on the windows client system but the error remains
Client doesn't know/trust the CA that signed your server certificate.

-Arran
Forster Arnaud
2018-04-10 08:49:12 UTC
Permalink
Yes but only for computer which are registered to the samba domains. For
other ones there's no problem
Post by Arran Cudbard-Bell
Post by Arnaud Forster
Hello Alan,
Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional connection (24), 1 of 29 pending slots used
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
So I tried to install the ca.der key on the windows client system but the error remains
Client doesn't know/trust the CA that signed your server certificate.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http
Stefan Winter
2018-04-10 09:04:06 UTC
Permalink
Hi,
Post by Forster Arnaud
Yes but only for computer which are registered to the samba domains. For
other ones there's no problem
With no problem, do you mean:

- there's a box coming up on the first time, and the user can click
"Connect", and then things work

or

- you are provisioning all the non-AD client devices with the needed CA
and server name details, and they can connect automatically

If the former, this in not "no problem" but a gaping security hole.

If the latter: good job on the BYOD clients. Now, for the AD-joined
machines, you probably you need to install the CA via GPOs and mark it
as trusted for the *Wi-Fi* login use case. Just being in the generic CA
trust store is *not* enough.

Greetings,

Stefan Winter
Post by Forster Arnaud
Post by Arran Cudbard-Bell
On Apr 10, 2018, at 2:34 PM, Arnaud Forster
Hello Alan,
Thanks for your answer. So I checked the log and the only thing I've
Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional
connection (24), 1 of 29 pending slots used
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
Failed in SSLv3 read client key exchange A
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in
__FUNCTION__ (SSL_read)
So I tried to install the ca.der key on the windows client system but the error remains
Client doesn't know/trust the CA that signed your server certificate.
-Arran
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Forster Arnaud
2018-04-10 09:21:55 UTC
Permalink
Hello Stefan and thanks for your help :)

with no problem, means that a box in coming and I've to enter a
username/password from my domain users. Once this is made, my
username/password are stored and they are not requested anymore. In this
case I didn't install any certificate of my computer.


For computers registered into the domain, they are several cases :

With windows 10 , I can connect if I do that before entering my
username/password to start my session. Once my session started, I can't
connect anymore.

For Windows 7, as I can't connect before entering in a session, I tested
2 different situations : 1 with a local account and 1 with a domain
account. In both cases I can't connect to my wifi and the certificate
error is coming.

My domain is a samba domain so I don't think (but not sure) I can use
GPOs for this ..

Thanks very much for your help

Arnaud
Post by Stefan Winter
Hi,
Post by Forster Arnaud
Yes but only for computer which are registered to the samba domains. For
other ones there's no problem
- there's a box coming up on the first time, and the user can click
"Connect", and then things work
or
- you are provisioning all the non-AD client devices with the needed CA
and server name details, and they can connect automatically
If the former, this in not "no problem" but a gaping security hole.
If the latter: good job on the BYOD clients. Now, for the AD-joined
machines, you probably you need to install the CA via GPOs and mark it
as trusted for the *Wi-Fi* login use case. Just being in the generic CA
trust store is *not* enough.
Greetings,
Stefan Winter
Post by Forster Arnaud
Post by Arran Cudbard-Bell
On Apr 10, 2018, at 2:34 PM, Arnaud Forster
Hello Alan,
Thanks for your answer. So I checked the log and the only thing I've
Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional
connection (24), 1 of 29 pending slots used
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert
read:fatal:unknown CA
Failed in SSLv3 read client key exchange A
Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in
__FUNCTION__ (SSL_read)
So I tried to install the ca.der key on the windows client system but
the error remains
Client doesn't know/trust the CA that signed your server certificate.
-Arran
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See ht
Stefan Winter
2018-04-10 09:27:50 UTC
Permalink
Hello,
Post by Forster Arnaud
with no problem, means that a box in coming and I've to enter a
username/password from my domain users. Once this is made, my
username/password are stored and they are not requested anymore. In this
case I didn't install any certificate of my computer.
That's what I meant with "gaping security hole". An attacker can simply
set up a Wi-Fi network with the same SSID and arbitrary RADIUS server,
and your computer will happily send your username and password to that
rogue attacker when in the vicinity.

In order to achieve security, a client device MUST verify the
server-side certificate. And that means installing the CA, mark it as
the CA to trust for this particular Wi-Fi network, and pinning the
expected server name.

I.e. your perception of you not having a problem is wrong.

There are tools that allow you to specify your deployment details and
get an installer that does the right settings out of it. One example is
https://802.1x-config.org
Post by Forster Arnaud
With windows 10 , I can connect if I do that before entering my
username/password to start my session. Once my session started, I can't
connect anymore.
For Windows 7, as I can't connect before entering in a session, I tested
2 different situations : 1 with a local account and 1 with a domain
account. In both cases I can't connect to my wifi and the certificate
error is coming.
My domain is a samba domain so I don't think (but not sure) I can use
GPOs for this ..
If it's a Samba 4 AD server, you should be able to. If it's a Samba 3
"NT-Domain" style server, then no.

Greetings,

Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Forster Arnaud
2018-04-10 09:48:37 UTC
Permalink
Oooh I see now,

thanks for the informations, I'll have a deeper look into this ;)

My Samba AD is NT-domain style .. :(

Thanks very much for your help :)

Arnaud
Post by Stefan Winter
Hello,
Post by Forster Arnaud
with no problem, means that a box in coming and I've to enter a
username/password from my domain users. Once this is made, my
username/password are stored and they are not requested anymore. In this
case I didn't install any certificate of my computer.
That's what I meant with "gaping security hole". An attacker can simply
set up a Wi-Fi network with the same SSID and arbitrary RADIUS server,
and your computer will happily send your username and password to that
rogue attacker when in the vicinity.
In order to achieve security, a client device MUST verify the
server-side certificate. And that means installing the CA, mark it as
the CA to trust for this particular Wi-Fi network, and pinning the
expected server name.
I.e. your perception of you not having a problem is wrong.
There are tools that allow you to specify your deployment details and
get an installer that does the right settings out of it. One example is
https://802.1x-config.org
Post by Forster Arnaud
With windows 10 , I can connect if I do that before entering my
username/password to start my session. Once my session started, I can't
connect anymore.
For Windows 7, as I can't connect before entering in a session, I tested
2 different situations : 1 with a local account and 1 with a domain
account. In both cases I can't connect to my wifi and the certificate
error is coming.
My domain is a samba domain so I don't think (but not sure) I can use
GPOs for this ..
If it's a Samba 4 AD server, you should be able to. If it's a Samba 3
"NT-Domain" style server, then no.
Greetings,
Stefan Winter
-
List info/subscribe/unsubscribe? See http://www.fre
Alan DeKok
2018-04-10 12:51:27 UTC
Permalink
Post by Stefan Winter
That's what I meant with "gaping security hole". An attacker can simply
set up a Wi-Fi network with the same SSID and arbitrary RADIUS server,
and your computer will happily send your username and password to that
rogue attacker when in the vicinity.
The hope is that most new devices will do certificate pinning. After the first authentication, they cache the CA. And if the CA changes, they complain and refuse to authenticate.

Alan DeKok.


-
List info/subscribe/unsubscribe

Loading...