[RADIATOR] Windows 7 PEAP-MSCHAPV2 w/out trusted CA selected?

Gregory Fuller gregory.fuller at oswego.edu
Mon Jan 30 14:59:46 CST 2012 

Anyone happen to run across this same issue.....We run wired 802.1x on
all of our switch ports.  Majority of our desktop clients are Windows
XP SP3.  We used PEAP-MSCHAPV2 with a public certificate signed by the
Thawte CA within radiator.  In my PEAP configuration on the XP clients
I tell the client to validate the certificate but have NO CA's
selected from the certifcate trust store.  This will allow a
certificate signed by any of the CA's that are in the CA cert store to
be validated properly.  This works like a charm under XP with no
problems.  I'm aware of the potential downside and  consequences of
attacks doing it this way.

We now have some Windows 7 Enterprise clients going out the door and
have configured them in exactly the same way, having the client
validate the cert against any of the CA's (ie: NO CA's are checked).
This should use any certificate signed from any of the CA's within the
Windows CA Cert store.  The Windows 7 docs on Technet even say this
should work:

http://technet.microsoft.com/en-us/library/dd759154.aspx

In step 5c:  "If no trusted root CAs are selected, then clients trust
all trusted root CAs in their trusted root certification authority
store"

This doesn't appear to be the case.  If I don't select any trusted
CA's from this list the authentication fails against radiator and I
get the following in the radiator log file which indicates that the
client rejected the cert:

Mon Jan 30 11:18:41 2012: INFO: Access rejected for
host/MYCOMP-019489.domain.tld: EAP PEAP TLS read failed
Mon Jan 30 11:18:41 2012: ERR: EAP PEAP TLS read failed:  19339: 1 -
error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied

Looking at the client supplicant logs I can see that the client does
reject it because no CA is selected.

If I go back and select only the Thawte Primary Root CA, then
authentications work properly and the client can connect without
issues.

I know this isn't a radiator thing, just wondering if others have ran
across this inconsistency with Windows 7 at all.  Not sure if a recent
Windows patch broke the functionality as it was originally as
explained in the above Technet article or if it just never worked.
I'll probably open a case with MS to verify but I'm pretty sure others
have probably run across this already.

--greg


Gregory A. Fuller - CCNP, CCNA Security
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller

More information about the radiator mailing list