Powered by Jitbit .Net Forum free trial version. dismiss

HomeGeneral

General issues

Stopped working, possibly adding certificate Messages in this topic - RSS

slebbon
slebbon
Posts: 11


1.02.2019
slebbon
slebbon
Posts: 11
I had TekRadius (commercial version) working with our wireless authentication against AD for 1 day using a self-signed 'test' certificate i generated in TekCert. I then changed the certificate to a public one issued to our TekRadius server from Godaddy. Since restarting TekRadius with that Cert I don't think it has been working. When I do a radius test now from our AP tool, it 'fails' even with a simple local TekRadius account. The end of the debug log looks like this:


01.02.2019 11:03:12.512 - Authentication query for user 'test'; SELECT Attribute, Val from Users where UserName = 'test' and AttrType = 0

01.02.2019 11:03:12.512 - EAP-PEAP Authentication commencing for user 'test' [2 (4)]

01.02.2019 11:03:12.512 - PEAP Challenge sent for user 'test' [3 (4), af1f9ed7c961f0b2c4d25d15f74e285d].

01.02.2019 11:03:12.574 - MultipleHandshakeSize = 0 [False]

Master Secret 256 byte(s)

[000] 45 8D 59 9D DA BB 71 4C 86 0E CF 64 CF 5B 47 4C E.Y...qL ...d.[GL
[010] 9F 57 CA 31 D1 6B 06 43 2B D0 74 8B D0 9A E5 49 .W.1.k.C +.t....I
[020] B1 C7 7D 55 59 05 87 D7 6A 1A DC BD 58 46 32 20 ..}UY... j...XF2
[030] DE BC D1 4B 8B 81 DB 30 E4 5B B0 31 E7 A1 C8 AD ...K...0 .[.1....
[040] 62 D6 39 CB B6 75 C5 60 64 47 FD F5 2D 4A 3A 29 b.9..u.` dG..-Jsmile
[050] 49 4B 08 00 8F 42 7C 10 AB 92 F5 24 7A 38 B5 AE IK...B|. ...$z8..
[060] 99 14 54 DE B5 5B DA 0E B6 2B 4F 14 EC C9 2E 94 ..T..[.. .+O.....
[070] CD C7 23 56 C0 DD 68 64 A5 8B 46 8D D7 BC 42 41 ..#V..hd ..F...BA
[080] 0A F4 4C D3 5B C5 7F 83 69 A8 8D 5A 8A 05 F1 79 ..L.[... i..Z...y
[090] 7A 43 80 1D A3 64 C3 6C C5 61 D1 13 DA 88 05 08 zC...d.l .a......
[0A0] 6D A3 CE 24 4A 74 1A FE 4B 84 64 F4 CE A7 3E 4F m..$Jt.. K.d...>O
[0B0] 4E B1 4A F2 74 64 EB 79 7A 49 83 1D 98 D3 0D F2 N.J.td.y zI......
[0C0] 83 08 72 EB 44 8D 3A 24 A3 24 8E DF E6 B2 98 2E ..r.D.:$ .$......
[0D0] CD F3 C6 3C D4 0C CE F8 30 43 D1 77 18 04 2E 89 ...<.... 0C.w....
[0E0] 8B 19 C9 42 19 22 03 1B 1D 24 B3 7F 40 84 0A 2A ...B.".. .$..@..*
[0F0] 70 39 97 F8 E9 42 A2 BD 97 10 55 D8 BC 14 97 5C p9...B.. ..U....\

Client Finished 48 byte(s)

[000] AB 81 99 20 26 A1 F6 51 9A 7B 73 A8 84 F1 5B A3 ... &..Q .{s...[.
[010] 9A EF 9C 94 A8 57 71 C1 26 7E 46 DD 61 56 24 92 .....Wq. &~F.aV$.
[020] 17 13 E5 78 B9 53 50 37 48 63 16 B9 2C 67 FE 82 ...x.SP7 Hc..,g..

01.02.2019 11:03:12.574 - PEAP Response received.

01.02.2019 11:03:12.574 - RadAuth req. from : 10.201.10.61:53726 [UDP]

Size : 503 / 503
Identifier : 5
Attributes :

Framed-MTU = 1400
State = af1f9ed7c961f0b2c4d25d15f74e285d
NAS-Port-Type = 19
Called-Station-Id = AC-17-C8-10-15-DD:SSID
Connect-Info = CONNECT 11Mbps 802.11b
Calling-Station-Id = 00-00-00-00-00-02
NAS-IP-Address = 6.16.21.221
User-Name = test

01.02.2019 11:03:12.574 - Authentication query for user 'test'; SELECT Attribute, Val from Users where UserName = 'test' and AttrType = 0

01.02.2019 11:03:12.574 - EAP-PEAP Authentication commencing for user 'test' [3 (5)]

01.02.2019 11:03:44.798 - Debug Message (Timer) Session timer expired for the session 'af1f9ed7c961f0b2c4d25d15f74e285d'

01.02.2019 11:03:44.798 - Debug Message (Timer) Session timer expired for the session '6af460f2d980af117c2378d49f09a658'



The log just ends there and authentication on the AP test 'fails' without much detail.

What could be the problem?
0 link
Admin
Admin
Administrator
Posts: 4878


1.02.2019
Admin
Admin
Administrator
Posts: 4878
It should be a certificate issue since it seems that TLS session is established. Is there any error message displayed in client side? A Wireshark trace for an authentication attempt would be very useful to understand the cause of the problem.
0 link
slebbon
slebbon
Posts: 11


1.02.2019
slebbon
slebbon
Posts: 11
Here's a packet capture of the test session (different time than the logs, but same result).

I didn't get details on windows client error, other than report from site that "the laptops can't connect to wireless".
On the vendor's device 'test radius' page there is no error reported, I did get in the past authentication failures when the username/password didn't exist, but now it's not returning anything useful beyond "test failed".
edited by Admin on 5.02.2019
0 link
Admin
Admin
Administrator
Posts: 4878


1.02.2019
Admin
Admin
Administrator
Posts: 4878
Which version of TekRADIUS do you use? What is you logging level Debug or Developer?
0 link
slebbon
slebbon
Posts: 11


1.02.2019
slebbon
slebbon
Posts: 11
LT v5.5. Logging is set to Developer.
0 link
Admin
Admin
Administrator
Posts: 4878


1.02.2019
Admin
Admin
Administrator
Posts: 4878
Can you try with TekCERT generated certificate again?
0 link
slebbon
slebbon
Posts: 11


1.02.2019
slebbon
slebbon
Posts: 11
I re-installed the free TekCert and generated another temporary sha1 certificate, the wireless Self-test now passes as it did before. I don't have anyone onsite any longer today to test, but I would assume it will work again for Windows PCs as it did last week, but will prompt with the untrusted certificate warning.

So that goes to the Godaddy certificate....is there something 'missing' from it? I'm not sure what else from them I could have done differently. It's valid and trusted in windows with the private key available, expires in 2 years and the cert trust chain is "ok" again according to windows.
0 link
Admin
Admin
Administrator
Posts: 4878


2.02.2019
Admin
Admin
Administrator
Posts: 4878
How have you generated certificate signing request?
0 link
Admin
Admin
Administrator
Posts: 4878


2.02.2019
Admin
Admin
Administrator
Posts: 4878
Can you also send full session log to yasin.kaplan@kaplansoft.com?
0 link
slebbon
slebbon
Posts: 11


5.02.2019
slebbon
slebbon
Posts: 11
I just wanted to close the loop in the public forums, since the solution was taken offline and provided so helpful.

Ultimately you suggested exporting and re-importing the certificate, and that was spot-on. Upon exporting I got prompted for CNG storage access authorization, and determined the key request had been created as CNG rather than “Legacy” CryptoAPI key request, and thus was stored in newer CNG in Windows. Exporting and importing to standard (older) method of key storage (which doesn’t prompt user for key access/usage authorization) has allowed TekRADIUS now to work without issue with the GoDaddy Key.


Thank you so very much for your efforts in examining this issue with me, it was very strange to me why these errors were occurring, but always there is a good explanation if we can just find it!


Also very impressed with your feedback that you are starting to support CNGKeys and that you are obviously keeping this product well up to date and maintained. Since you replied today:
"TekRADIUS supports CNGKeys but it seems that additional permissions are needed to access them. We are adding additional diagnostic output for CNG key operations in TekRADIUS."

Again, thank you for all your help; I wanted to make sure this got posted for anyone else that may run into a similar issue.
0 link
Admin
Admin
Administrator
Posts: 4878


5.02.2019
Admin
Admin
Administrator
Posts: 4878
You welcome
0 link






Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software