3

We do have the following Setup at our company

  • Synology RS812+ hosting LDAP, RADIUS, DNS (Version DSM 5.0-4458 Update 2)
  • 2*Cisco Wifi APs WAP561 (Firmware 1.0.3.4)
  • Cisco Router ISA500 (Firmware 1.2.19)

What we want to have is basically authenticate and authorization to the WiFi based on LDAP via RADIUS

We installed a certificate on the Synology which is issued by GlobalSign for the root domain example.com and nas.example.com (We used our wildcard cert here before, which the Synology showed as self signed, maybe the usage extensions were not there, so i bought another one)

I configured the APs (WPA2) to connect to the RADIUS (IP based) and the RADIUS to access the LDAP (same machine).

Basically everything works except that our Win7 (and some Vista) clients are having problems to do the TLS Handshake with the RADIUS

Unforunately the output is not very good, since it only shows

Auth 2014-04-15 10:01:49 Login incorrect (TLS Alert read:fatal:access denied): [max.mustermann@example.com/<via Auth-Type = EAP>] (from client CiscoHardware port 0 cli 00-26-82-ED-61-92)

Error 2014-04-15 10:01:49 TLS Alert read:fatal:access denied

My guess: The supplicant (Win7 machine) is not accepting the certificate which results in failing the authentication to work. If i uncheck the option "Check Server Certificate" everything works.

The problem must almost certainly be the certificate used in the Authentication since there are strong requirements to the certificate from Microsoft:

http://support.microsoft.com/kb/814394/en-us

I already checked the object identifier which is 1.3.6.1.5.5.7.3.1. and is present in the certificate

There are two other points i might not fully understand:

  • The name in the Subject line of the server certificate matches the name that is configured on the client for the connection.
  • For wireless clients, the Subject Alternative Name (SubjectAltName) extension contains the server's fully qualified domain name (FQDN).

There is one intermediate certificate which is present on the radius, the root cert (GloalSign) is trusted by the OS.

About the domain name: How does a client check this since it is connecting to a SSID and the AP points to a RADIUS Server by IP?

How can i debug this a bit further? I am working on a Win7 Machine, but linux is available if needed

pfried
  • 83
  • 1
  • 10
  • Have you configured the workstations to use computer based authentication? The "login incorrect" may be an authentication by user account rather than computer account? – Kinnectus Sep 06 '16 at 20:58
  • They were configured to use user accounts. – pfried Sep 07 '16 at 05:40
  • Is that what you want? Computer authentication will allow the computer account to authenticate and will allow any domain user to log on to the computer (making your life a bit easier if the devices are shared)... – Kinnectus Sep 07 '16 at 05:51
  • 1
    No, we need user based authentication. Its a lot of bring your own devices – pfried Sep 08 '16 at 12:51
  • Are your users in a security group to be checked through your server if they have access? – Kinnectus Sep 08 '16 at 13:04
  • sry, but this is leading nowhere. Guessing around doesnt help anyone. Its OS dependant, so no issues with rights or whatsoever – pfried Sep 08 '16 at 15:18

2 Answers2

0

It's not that clear from your query but your problem can be because not both of your certificates are correctly tagged:

According the URL you pointed: * The client certificate needs to have the 1.3.6.1.5.5.7.3.2 extension * The server certificate needs to have the 1.3.6.1.5.5.7.3.1 extension

I also believe that it's the intermediate CA you refer to that should have the 1.3.6.1.5.5.7.3.1 extension.

In short, I think your problem lies in the "Server certificate requirements" part of the page.

This shows the openssl config you can use when generating the certificates: http://lists.freeradius.org/pipermail/freeradius-users/2011-April/052962.html Of course you'll have to add the xpclient_ext/xpserver_ext to the certificates upon generation.

V13
  • 231
  • 1
  • 5
-3

To be sure, the cert is the problem you can make a test: Install a Webserver and configure https. Use your cert and bind it to the https port. Add a line to the hosts-file of one Win7Client that matches the name of the cert and the ip of the webserver Use IE and open your new webpage. IE shows you if the cert is trusted and you can open the properies of the cert to see details. Dont use Firefox because it uses not the system cert store

Robert R.
  • 101