[RADIATOR] EAP-PEAP Windows XP Wired Ethernet

vietrha at indo.net.id vietrha at indo.net.id
Sat Dec 17 01:01:08 CST 2011 


I'm using Microsoft Windows XP Professional SP 2

Quoting Heikki Vatiainen <hvn at open.com.au>:

> On 12/16/2011 04:13 AM, Indrajaya Pitra Perdana wrote:
>
>> Thanks, i give it a try, i already enable tls trace in my win xp, and i
>> don't see there's an exchange certificate :-)
>
> What client are you using? I noticed the log shows it sends EAP TLS
> (type 13) responses while also logging about detecting PEAP authentication.
>
>> [1448] 11:49:36:218: PeapReadConnectionData
>> [1448] 11:49:36:218: PeapReadUserData
>> [1448] 11:49:36:218: RasEapGetInfo
>> [2884] 11:49:52:515: EapPeapBegin
>> [2884] 11:49:52:515: PeapReadConnectionData
>> [2884] 11:49:52:515: PeapReadUserData
>> [2884] 11:49:52:515:
>> [2884] 11:49:52:515: EapTlsBegin(test)
>> [2884] 11:49:52:515: State change to Initial
>> [2884] 11:49:52:515: EapTlsBegin: Detected 8021X authentication
>> [2884] 11:49:52:515: EapTlsBegin: Detected PEAP authentication
>> [2884] 11:49:52:515: MaxTLSMessageLength is now 16384
>> [2884] 11:49:52:515: EapPeapBegin done
>> [2884] 11:49:52:515: EapPeapMakeMessage
>> [2884] 11:49:52:515: EapPeapCMakeMessage
>> [2884] 11:49:52:515: PEAP:PEAP_STATE_INITIAL
>> [2884] 11:49:52:515: EapTlsCMakeMessage
>> [2884] 11:49:52:515: EapTlsReset
>> [2884] 11:49:52:515: State change to Initial
>> [2884] 11:49:52:515: GetCredentials
>> [2884] 11:49:52:515: Flag is Client and Store is Current User
>> [2884] 11:49:52:515: GetCachedCredentials
>> [2884] 11:49:52:515: FreeCachedCredentials
>> [2884] 11:49:52:515: No Cert Store.  Guest Access requested
>> [2884] 11:49:52:515: No Cert Name.  Guest access requested
>> [2884] 11:49:52:515: Will validate server cert
>> [2884] 11:49:52:515: MakeReplyMessage
>> [2884] 11:49:52:515: SecurityContextFunction
>> [2884] 11:49:52:515: InitializeSecurityContext returned 0x90312
>> [2884] 11:49:52:515: State change to SentHello
>> [2884] 11:49:52:515: BuildPacket
>> [2884] 11:49:52:515: << Sending Response (Code: 2) packet: Id: 2,
>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>> [2884] 11:49:52:515: EapPeapCMakeMessage done
>> [2884] 11:49:52:515: EapPeapMakeMessage done
>> [1352] 11:50:22:531: EapPeapEnd
>> [1352] 11:50:22:531: EapTlsEnd
>> [1352] 11:50:22:531: EapTlsEnd(test)
>> [1352] 11:50:22:531: EapPeapEnd done
>> [1352] 11:50:22:562: EapPeapBegin
>> [1352] 11:50:22:562: PeapReadConnectionData
>> [1352] 11:50:22:562: PeapReadUserData
>> [1352] 11:50:22:562:
>> [1352] 11:50:22:562: EapTlsBegin(test)
>> [1352] 11:50:22:562: State change to Initial
>> [1352] 11:50:22:562: EapTlsBegin: Detected 8021X authentication
>> [1352] 11:50:22:562: EapTlsBegin: Detected PEAP authentication
>> [1352] 11:50:22:562: MaxTLSMessageLength is now 16384
>> [1352] 11:50:22:562: EapPeapBegin done
>> [1352] 11:50:22:562: EapPeapMakeMessage
>> [1352] 11:50:22:562: EapPeapCMakeMessage
>> [1352] 11:50:22:562: PEAP:PEAP_STATE_INITIAL
>> [1352] 11:50:22:562: EapTlsCMakeMessage
>> [1352] 11:50:22:562: EapTlsReset
>> [1352] 11:50:22:562: State change to Initial
>> [1352] 11:50:22:562: GetCredentials
>> [1352] 11:50:22:562: Flag is Client and Store is Current User
>> [1352] 11:50:22:562: GetCachedCredentials
>> [1352] 11:50:22:562: FreeCachedCredentials
>> [1352] 11:50:22:562: No Cert Store.  Guest Access requested
>> [1352] 11:50:22:562: No Cert Name.  Guest access requested
>> [1352] 11:50:22:562: Will validate server cert
>> [1352] 11:50:22:562: MakeReplyMessage
>> [1352] 11:50:22:562: SecurityContextFunction
>> [1352] 11:50:22:562: InitializeSecurityContext returned 0x90312
>> [1352] 11:50:22:562: State change to SentHello
>> [1352] 11:50:22:562: BuildPacket
>> [1352] 11:50:22:562: << Sending Response (Code: 2) packet: Id: 37,
>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>> [1352] 11:50:22:562: EapPeapCMakeMessage done
>> [1352] 11:50:22:562: EapPeapMakeMessage done
>> [1448] 11:50:52:578: EapPeapEnd
>> [1448] 11:50:52:578: EapTlsEnd
>> [1448] 11:50:52:578: EapTlsEnd(test)
>> [1448] 11:50:52:578: EapPeapEnd done
>> [1448] 11:51:52:593: PeapReadConnectionData
>> [1448] 11:51:52:593: PeapReadUserData
>> [1448] 11:51:52:593: RasEapGetInfo
>> [1352] 12:02:42:625: PeapReadConnectionData
>> [1352] 12:02:42:640: PeapReadUserData
>> [1352] 12:02:42:640: RasEapGetInfo
>> [1352] 12:02:42:640: PeapReDoUserData
>> [1352] 12:02:42:640: EapTlsInvokeIdentityUI
>> [1352] 12:02:42:640: GetCertInfo
>> [1352] 12:03:42:640: PeapReadConnectionData
>> [1352] 12:03:42:640: PeapReadUserData
>> [1352] 12:03:42:640: RasEapGetInfo
>> [1352] 12:03:42:671: EapPeapBegin
>> [1352] 12:03:42:671: PeapReadConnectionData
>> [1352] 12:03:42:671: PeapReadUserData
>> [1352] 12:03:42:671:
>> [1352] 12:03:42:671: EapTlsBegin(GHOST\indrajaya)
>> [1352] 12:03:42:671: State change to Initial
>> [1352] 12:03:42:671: EapTlsBegin: Detected 8021X authentication
>> [1352] 12:03:42:671: EapTlsBegin: Detected PEAP authentication
>> [1352] 12:03:42:671: MaxTLSMessageLength is now 16384
>> [1352] 12:03:42:671: EapPeapBegin done
>> [1352] 12:03:42:671: EapPeapMakeMessage
>> [1352] 12:03:42:671: EapPeapCMakeMessage
>> [1352] 12:03:42:671: PEAP:PEAP_STATE_INITIAL
>> [1352] 12:03:42:671: EapTlsCMakeMessage
>> [1352] 12:03:42:671: EapTlsReset
>> [1352] 12:03:42:671: State change to Initial
>> [1352] 12:03:42:671: GetCredentials
>> [1352] 12:03:42:671: Flag is Client and Store is Current User
>> [1352] 12:03:42:671: GetCachedCredentials
>> [1352] 12:03:42:671: FreeCachedCredentials
>> [1352] 12:03:42:671: No Cert Store.  Guest Access requested
>> [1352] 12:03:42:671: No Cert Name.  Guest access requested
>> [1352] 12:03:42:671: Will validate server cert
>> [1352] 12:03:42:671: MakeReplyMessage
>> [1352] 12:03:42:671: SecurityContextFunction
>> [1352] 12:03:42:671: InitializeSecurityContext returned 0x90312
>> [1352] 12:03:42:671: State change to SentHello
>> [1352] 12:03:42:671: BuildPacket
>> [1352] 12:03:42:671: << Sending Response (Code: 2) packet: Id: 3,
>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>> [1352] 12:03:42:671: EapPeapCMakeMessage done
>> [1352] 12:03:42:671: EapPeapMakeMessage done
>> [2004] 12:04:12:687: EapPeapEnd
>> [2004] 12:04:12:687: EapTlsEnd
>> [2004] 12:04:12:687: EapTlsEnd(ghost\indrajaya)
>> [2004] 12:04:12:687: EapPeapEnd done
>> [2004] 12:04:42:734: EapPeapBegin
>> [2004] 12:04:42:734: PeapReadConnectionData
>> [2004] 12:04:42:734: PeapReadUserData
>>
>> /Regards,
>> Indrajaya Pitra Perdana/
>>
>> On 12/15/2011 6:04 PM, Heikki Vatiainen wrote:
>>> On 12/15/2011 06:18 AM, Indrajaya Pitra Perdana wrote:
>>>
>>>> The problem still persist even i created my own certificate using the
>>>> steps in mkcertificate.sh goodies , my windows didn't respon to the eap
>>>> challenge sent by Radiator, do u have any clue on this? or perhaps the
>>>> problem is within my 2950 catalyst ? thanks :-)
>>> You could try enabling debug for EAP authentication on the switch to see
>>> how it reacts to EAP messages.
>>>
>>> Meanwhile you could also try running wireshark on Windows to see if the
>>> challenge with the certificate is sent by the switch to the XP box.
>>>
>>> One thing you could try first is to use even lower value for
>>> EAPTLS_MaxFragmentSize
>>>
>>> The messages before certifcate are much smaller and so this challenge
>>> would be the first that can reach the maximum size.
>>>
>>> Thanks!
>>>
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.

More information about the radiator mailing list