Powered by Jitbit .Net Forum free trial version. dismiss

HomeGeneral

General issues

windows PEAP-TLS authentification issues Messages in this topic - RSS

pgaudil
pgaudil
Posts: 18


1.10.2020
pgaudil
pgaudil
Posts: 18
Hi,

I have the following setup:
Window Client <---> cisco switch 2960 <-----> radius
I use PEAP-TLS authentification. It works with a standard windows 10 client.
But with a customized windows 10 client, I get the following issue:

01.10.2020 12:52:05.750 - Authentication query for user 'user'; SELECT Attribute, Val from Users where UserName = 'user' and AttrType = 0
01.10.2020 12:52:05.750 - EAP-PEAP Authentication commencing for user 'cortexadmin' [2 (138)]
01.10.2020 12:52:05.750 - PEAP Challenge sent for user 'cortexadmin' [3 (138), cdb985937b376dba87ce64f30097c6cc].
01.10.2020 12:52:05.765 - Abnormal EAP request received (255), requesting identity. (PEAP State 3C)
01.10.2020 12:52:05.765 - PEAP Response received.
01.10.2020 12:52:05.765 - RadAuth req. from : 11.12.18.254:1645 [UDP]

The certificate is OK (good dates).
What is the signification of the following message:
Abnormal EAP request received (255), requesting identity. (PEAP State 3C)

best regards,

Pierre
edited by pgaudil on 1.10.2020

0 link
Admin
Admin
Administrator
Posts: 5028


1.10.2020
Admin
Admin
Administrator
Posts: 5028
Hi,

Do you use EAP-TLS authentication method as inner authentication method for PEAP in place of default MS-CHAP-v2?

Best regards,

Yasin KAPLAN
0 link
pgaudil
pgaudil
Posts: 18


1.10.2020
pgaudil
pgaudil
Posts: 18
I use MS-CHAP-V2. The strange thing is that it falls into an inifinite loop of login attempts. I have wireshark traces
0 link
Admin
Admin
Administrator
Posts: 5028


1.10.2020
Admin
Admin
Administrator
Posts: 5028
TekRADIUS expects following TLS messages from the client;


Client Key Exchange
Change Cipher Spec
Encrypted Handshake Message


But it does receive only a plain EAP response (Packet #9 in the Wireshark trace). I recommend you to get an EAP trace in Windows client.
0 link
pgaudil
pgaudil
Posts: 18


1.10.2020
pgaudil
pgaudil
Posts: 18
the wireshark capture comes from the windows client. Do you mean some other EAP traces? I am pretty new to Radius.
The strange thing is that, in front of a freeradius server, the windows client sends the Client Key Exchange/Change Cipher Spec/Encrypted Handshake Message.


there is a difference in the server hello message from tekradius and freeradius:

in wireshark the tekradius server hello appears like that:
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 1629
Handshake Protocol: Server Hello
Handshake Protocol: Certificate
Handshake Protocol: Server Hello Done

whereas the freeradius appears like that:
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done

do you know why the packet from tekradius is shown as "TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages"
can it explain why the windows client is unable to process it?
0 link
Admin
Admin
Administrator
Posts: 5028


1.10.2020
Admin
Admin
Administrator
Posts: 5028
Please see for EAP tracing in Windows https://docs.microsoft.com/en-us/windows/win32/eaphost/enabling-tracing

Handshake messages can consolidated in a single Record Layer message. Server Key Exchange is not required when the Certificate message contains enough data to allow the client to exchange a premaster secret (RFC 5246 - 7.4.3).
0 link
pgaudil
pgaudil
Posts: 18


1.10.2020
pgaudil
pgaudil
Posts: 18
the EAP trace is difficult to read.. what am I supposed to look for?
0 link
pgaudil
pgaudil
Posts: 18


1.10.2020
pgaudil
pgaudil
Posts: 18
the EAP trace file is difficult to read (big XML file), what should I look for?
0 link
Admin
Admin
Administrator
Posts: 5028


1.10.2020
Admin
Admin
Administrator
Posts: 5028
You should look for exceptions and errors. Can you send me screen captures for EAP configuration in Windows 10 client?
0 link
Admin
Admin
Administrator
Posts: 5028


2.10.2020
Admin
Admin
Administrator
Posts: 5028
Everything seems OK. Have you tried to connect using a mobile device in place of Windows 10 client? Can you send me EAP trace taken form Windows client?
0 link
pgaudil
pgaudil
Posts: 18


2.10.2020
pgaudil
pgaudil
Posts: 18
here it is.
best regards
Pierre

Attachments:
EapHostPeer.zip
0 link
Admin
Admin
Administrator
Posts: 5028


2.10.2020
Admin
Admin
Administrator
Posts: 5028
Can you try with a certificate signed using an RSA based algorithm?
0 link
pgaudil
pgaudil
Posts: 18


2.10.2020
pgaudil
pgaudil
Posts: 18
The certificate is already RSA signed. I also tried with the Tekradius certificate generated during installation, same result. Should I generate another certificate? With what parameters?

best regards,

Pierre

0 link
pgaudil
pgaudil
Posts: 18


2.10.2020
pgaudil
pgaudil
Posts: 18
One more thing: I use tekradius for wired 802.1x authentication. I tried with another PC running vanilla Windows 10, it is working. But I need to use a custom OS which doesn't work.
0 link
Admin
Admin
Administrator
Posts: 5028


2.10.2020
Admin
Admin
Administrator
Posts: 5028
As far as I see in the Wireshark trace server certificate is signed using ECDSA-SHA-256. Please see attached picture.

Attachments:
Certificate.png
0 link
pgaudil
pgaudil
Posts: 18


2.10.2020
pgaudil
pgaudil
Posts: 18
you're on this test I used the certificate from a test freeradius server with which it is working. But as I said earlier, with a RSA signed certificate like like the one generated during installation of tekradius, it is not working.
When I run the test in front of the freeradius server, the main difference in the wireshark traces is that the server sends a "server key exchange" message within the server Hello:

Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done


With that server Hello it is working. Is there a way to make tekradius send this "server key exchange" message?

best regards,

Pierre
0 link
Admin
Admin
Administrator
Posts: 5028


2.10.2020
Admin
Admin
Administrator
Posts: 5028
"Server Key Exchange" is required when you use ECDSA based signature algorithms. TekRADIUS does not support ECDSA based signature algorithms in certificates.
0 link
pgaudil
pgaudil
Posts: 18


2.10.2020
pgaudil
pgaudil
Posts: 18
OK. I think my problem comes from the certificate but I don't know why they are not accepted.
0 link
Admin
Admin
Administrator
Posts: 5028


2.10.2020
Admin
Admin
Administrator
Posts: 5028
You can try TekCERT to generate a new certificate; https://www.kaplansoft.com/tekcert/
0 link
pgaudil
pgaudil
Posts: 18


2.10.2020
pgaudil
pgaudil
Posts: 18
same behaviour
0 link
12






Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software