Discussion:
EAP-TLS and Windows 10 fails for wireless
Lucile Quirion
2016-06-09 21:30:52 UTC
Permalink
Hello everyone,

I'm setting up a RADIUS server, and I've run into some trouble to authenticate a Windows 10 laptop via wireless. I got no reply to the 5th "Access-Challenge".

I'm running freeradius-server 3.0.11 with customized demo certificates:
I've integrated the certificate configuration changes from the branch 3.1.x, and also created a unencrypted key (.p12) for my Windows client.

I've installed the root CA certificate (.der) and the client key (.p12) into the User's certificate store on the Windows client.

During my troubleshooting, I've searched for other error reports for EAP-TLS & Windows:
* TLS version compatibility
-> I've forced Windows to use TLS 1.2 (add DWORD TlsVersion register) (unnecessary but done).
* 802.11 version compatibility
-> I've tried both 802.11a+g mode and 802.11b+g+n mode on the access point. I've also noted that the Windows 10 laptop can connect when wireless encryption is disabled.
* server certificate requirements
-> Windows successfully authenticates in PEAP mode with the dummy "bob" user when "Verify server certificate" is checked in EAP-TLS parameters
* root CA certificate requirements
* user certificate requirement
* user key requirement (no encryption)
-> Windows successfully authenticate in EAP-TLS mode on the wired connection.
So all certificates are correctly installed, and Windows can use the client's cert/key to authenticate.

I've tried to get some debugging info with the command:
netsh wlan set tra yes
netsh ras set tr * en
<connection attempt>
netsh ras set tr * dis
netsh wlan set tra no

However I got a handful of files, which ones are relevant ? The only advice I got from them is to check TLS and 802.11 compatibility.

Could someone kindly advise me to the next point ?

Has anyone run into a similar problem ?

Following is the failing connection log from freeradius-server:

# radiusd -X
[...]
Server core libs:
freeradius-server : 3.0.11
talloc : 2.0.*
ssl : 1.0.1j release
pcre : 8.11 2010-12-10
[...] tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius2/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius2/certs/server.key"
certificate_file = "/etc/freeradius2/certs/server.pem"
ca_file = "/etc/freeradius2/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius2/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
[...]
(33) Received Access-Request Id 42 from 10.1.1.2:32962 to 10.255.255.251:1812 length 163
(33) User-Name = "eloi"
(33) Called-Station-Id = "06-F0-21-11-27-D1:acksys"
(33) NAS-Port-Type = Wireless-802.11
(33) NAS-Port = 1
(33) Calling-Station-Id = "24-77-03-1F-B6-78"
(33) Connect-Info = "CONNECT 54Mbps 802.11a"
(33) Acct-Session-Id = "5415B2E9-00000003"
(33) Framed-MTU = 1400
[...]
(33) eap: Peer sent packet with method EAP Identity (1)
(33) eap: Calling submodule eap_tls to process data
(33) eap_tls: Initiating new EAP-TLS session
(33) eap_tls: Setting verify mode to require certificate from client
(33) eap_tls: [eaptls start] = request
(33) eap: Sending EAP Request (code 1) ID 151 length 6
(33) eap: EAP session adding &reply:State = 0xe01d52c2e08a5f27
[...]
(34) Received Access-Request Id 43 from 10.1.1.2:32962 to 10.255.255.251:1812 length 350
[...]
(34) eap: Peer sent EAP Response (code 2) ID 151 length 178
[...]
(34) eap: Peer sent packet with method EAP TLS (13)
(34) eap: Calling submodule eap_tls to process data
(34) eap_tls: Continuing EAP-TLS
(34) eap_tls: Peer indicated complete TLS record size will be 168 bytes
(34) eap_tls: Got complete TLS record (168 bytes)
(34) eap_tls: [eaptls verify] = length included
(34) eap_tls: (other): before/accept initialization
(34) eap_tls: TLS_accept: before/accept initialization
(34) eap_tls: <<< recv TLS 1.2 [length 00a3]
(34) eap_tls: TLS_accept: SSLv3 read client hello A
(34) eap_tls: >>> send TLS 1.2 [length 0051]
(34) eap_tls: TLS_accept: SSLv3 write server hello A
(34) eap_tls: >>> send TLS 1.2 [length 08d9]
(34) eap_tls: TLS_accept: SSLv3 write certificate A
(34) eap_tls: >>> send TLS 1.2 [length 030f]
(34) eap_tls: TLS_accept: SSLv3 write key exchange A
(34) eap_tls: >>> send TLS 1.2 [length 00ba]
(34) eap_tls: TLS_accept: SSLv3 write certificate request A
(34) eap_tls: TLS_accept: SSLv3 flush data
(34) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A
(34) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A
(34) eap_tls: In SSL Handshake Phase
(34) eap_tls: In SSL Accept mode
(34) eap_tls: [eaptls process] = handled
(34) eap: Sending EAP Request (code 1) ID 152 length 1014
(34) eap: EAP session adding &reply:State = 0xe01d52c2e1855f27
[...]
(34) Sent Access-Challenge Id 43 from 10.255.255.251:1812 to 10.1.1.2:32962 length 0
[...]
(35) Received Access-Request Id 44 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178
[...]
(36) Received Access-Request Id 45 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178
[...]
(37) Received Access-Request Id 46 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178
[...]
(38) Received Access-Request Id 0 from 10.1.1.2:41720 to 10.255.255.251:1812 length 163
[...]
(39) Received Access-Request Id 1 from 10.1.1.2:41720 to 10.255.255.251:1812 length 350
[...]
(39) eap: Expiring EAP session with state 0xe01d52c2e4865f27
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! EAP session with state 0xe01d52c2e4865f27 did not finish! !!
!! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--
Lucile Quirion

Consultante en logiciels libres
Savoir-faire Linux
Tel: + 1 (514) 276 5468, ext. 312
-
List info/subscribe/unsubscribe? See ht
Arran Cudbard-Bell
2016-06-09 21:45:14 UTC
Permalink
Post by Lucile Quirion
[...]
(34) Sent Access-Challenge Id 43 from 10.255.255.251:1812 to 10.1.1.2:32962 length 0
[...]
(35) Received Access-Request Id 44 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178
[...]
(36) Received Access-Request Id 45 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178
[...]
(37) Received Access-Request Id 46 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178
[...]
(38) Received Access-Request Id 0 from 10.1.1.2:41720 to 10.255.255.251:1812 length 163
[...]
(39) Received Access-Request Id 1 from 10.1.1.2:41720 to 10.255.255.251:1812 length 350
[...]
(39) eap: Expiring EAP session with state 0xe01d52c2e4865f27
Woo lets play the remove all the useful data game...

-Arran


Arran Cudbard-Bell <***@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Alan DeKok
2016-06-09 22:10:29 UTC
Permalink
Post by Lucile Quirion
I'm setting up a RADIUS server, and I've run into some trouble to authenticate a Windows 10 laptop via wireless. I got no reply to the 5th "Access-Challenge".
The Windows machine doesn't like the certificates.

Why? Ask Windows.

The testing certificates work.
Post by Lucile Quirion
Has anyone run into a similar problem ?
Lots of people.
And... heavily edited.

Why?

Alan DeKok.


-
List info/subscribe/unsubs
Ben Humpert
2016-06-10 01:12:49 UTC
Permalink
I manage a flat share for plenty years and have FR running and well
configured. I also use EAP-TLS and certificates. I NEVER had a problem
with Windows 7 or 8 or 8.1 getting it to connect wireless. Only
Windows 10 does not work. My advice: format the HDD and install
Windows 7 or if you like it less productive but more fancy Windows
8.1.
Post by Alan DeKok
Post by Lucile Quirion
I'm setting up a RADIUS server, and I've run into some trouble to authenticate a Windows 10 laptop via wireless. I got no reply to the 5th "Access-Challenge".
The Windows machine doesn't like the certificates.
Why? Ask Windows.
The testing certificates work.
Post by Lucile Quirion
Has anyone run into a similar problem ?
Lots of people.
And... heavily edited.
Why?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/u
Arran Cudbard-Bell
2016-06-10 02:09:18 UTC
Permalink
Post by Ben Humpert
I manage a flat share for plenty years and have FR running and well
configured. I also use EAP-TLS and certificates. I NEVER had a problem
with Windows 7 or 8 or 8.1 getting it to connect wireless. Only
Windows 10 does not work. My advice: format the HDD and install
Windows 7 or if you like it less productive but more fancy Windows
8.1.
Or install v3.1.x which is stable now! (except for bug fixes).

...and use the improved debugging output to help us figure out what's going on.

-Arran

Arran Cudbard-Bell <***@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Lucile Quirion
2016-06-10 19:35:33 UTC
Permalink
Thanks for your reply.
Post by Arran Cudbard-Bell
Or install v3.1.x which is stable now! (except for bug fixes).
I've installed v3.1x and the problem resolved itself.

The Wi-fi menu went through the following steps on Windows 10 laptop (the certificates are already installed and the wireless connection was manually added):
* Choose a certificate [Ok]
* Checking network requirements
* Continue connecting ?
If you expect to find acksys in this location, go ahead and connect. Otherwise, it may be a different network with the same name.
[Show certificate details]
[Connect] [Cancel]
* Checking network requirements
And the connection was established.

With freeradius v3.0.11, the menu would stuck at the first "Checking network requirement" for several minutes.
--
Lucile Quirion

Consultante en logiciels libres
Savoir-faire Linux
Tel: + 1 (514) 276 5468, ext. 312
-
List info/subscribe/unsubscribe? See http://www.freer
Lucile Quirion
2016-06-10 21:56:48 UTC
Permalink
I was wrong. Windows 10 can authenticate against freeradius v3.0.11 via EAP-TLS.

My Access point is plugged to a switch and the switch transmits only UPD:1812 IP packets to the server.
I found out that the switch was dropping non-initial fragments of the IP packets.
It was preventing the user to complete the SSL handshake (the last Access-Request message was fragmented).

Thanks again.
--
Lucile Quirion

Consultante en logiciels libres
Savoir-faire Linux
Tel: + 1 (514) 276 5468, ext. 312
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
Stefan Winter
2016-06-12 20:38:42 UTC
Permalink
Hi,
Post by Lucile Quirion
I've installed v3.1x and the problem resolved itself.
* Choose a certificate [Ok]
* Checking network requirements
* Continue connecting ?
If you expect to find acksys in this location, go ahead and connect. Otherwise, it may be a different network with the same name.
[Show certificate details]
[Connect] [Cancel]
* Checking network requirements
And the connection was established.
It's funny how some people think that the workflow above equals "it
works". If Windows asks the "Show cert details / do you expect"
question, then this means the server certificate and CA chain checks
*failed* and it's resorting to user-interactive "D'oh, I'm guessing" mode.

So, security-wise, seeing this workflow means your setup is still
broken; just more subtly than before.

Greetings,

Stefan Winter
Arran Cudbard-Bell
2016-06-12 20:49:13 UTC
Permalink
Post by Stefan Winter
Hi,
Post by Lucile Quirion
I've installed v3.1x and the problem resolved itself.
* Choose a certificate [Ok]
* Checking network requirements
* Continue connecting ?
If you expect to find acksys in this location, go ahead and connect. Otherwise, it may be a different network with the same name.
[Show certificate details]
[Connect] [Cancel]
* Checking network requirements
And the connection was established.
It's funny how some people think that the workflow above equals "it
works". If Windows asks the "Show cert details / do you expect"
question, then this means the server certificate and CA chain checks
*failed* and it's resorting to user-interactive "D'oh, I'm guessing" mode.
So, security-wise, seeing this workflow means your setup is still
broken; just more subtly than before.
http://www.slideshare.net/ArranCudbardBell/networkshop44

See slides 6-16 :)

-Arran

Arran Cudbard-Bell <***@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

Loading...