Tom's Hardware > Forum > Wireless Networking > Wireless General Discussions > Problems with EAP-TLS with smart cards

Problems with EAP-TLS with smart cards

Forum Wireless Networking : Wireless General Discussions - Problems with EAP-TLS with smart cards

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
jr   07-26-2004 at 06:31:23 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

 

Greetings!

I have problems in getting the EAP-TLS with smart card authentication
to work in our wireless test environment. Our goal is that the client
computer (laptop, XP with SP1) gets (machine) authenticated when the
computer starts and after that happens the user authentication with a
smart card.

Now, I have successfully managed to do the computer authentication and
the user authentication (with EAP-TLS) separately but every time I
check the "Use my smart card" option in Smart card and other
Certificates Properties in the XP client computer, the computer
authentication fails. If I change the setting back to use a
certificate that is located in the certificate store of the user, the
computer authentication succeeds (user auth not, since the store is
empty). This seems pretty strange because what I have understood is
that that option shouldn't have anything to do with computer
authentication?! Or am
I missing something here? Is the XP client trying to do computer
authentication from smart card or what is causing this kind of
behaviour?

>From the log files one can see that access point sends identity
request to the client and then the client calls GetIdentity to find
out its identity but fails with an error 703.

Here is the EAPOL.LOG from the client computer when Windows is
preparing network connections:

<clip>
[468] 14:55:46: ProcessReceivedPacket: EAP_Packet
[468] 14:55:46: ProcessReceivedPacket: EAPOLSTATE_CONNECTING
[468] 14:55:46: TIMER: Restart PCB Time: 2097148
[468] 14:55:46: FSMAcquired entered for port 11a/b/g Wireless LAN Mini
PCI Adapter
[468] 14:55:46: TIMER: Restart PCB Time: 30
[468] 14:55:46: ElEapEnd entered
[468] 14:55:46: ElEapDllEnd called for EAP Index -1
[468] 14:55:46: ElEapBegin entered
[468] 14:55:46: ElEapBegin done
[468] 14:55:46: ElEapWork: EapolPkt created at 00102930
[468] 14:55:46: ElEapMakeMessage entered
[468] 14:55:46: ElParseIdentityString: Packet length 5 less than
minimum 5
[468] 14:55:46: ElGetIdentity: Userlogged=0, AuthMode=1, Prev Machine
auth?=0
[468] 14:55:46: ElGetIdentity: !MD5, <MaxAuth, Machine auth
[468] 14:55:46: ElGetUserIdentity entered
[468] 14:55:46: ElGetUserIdentity: Error in calling GetIdentity = 703
[468] 14:55:46: ElGetUserIdentity completed with error 703
[468] 14:55:46: ElGetIdentity: ElGetUserIdentity, Machine auth, failed
with error 703
[468] 14:55:46: ElEapMakeMessage: Error in ElGetIdentity 703
[468] 14:55:46: ElEapWork: ElEapMakeMessage returned error 703
[468] 14:55:46: FSMAcquired: Error in ElEapWork 703
[468] 14:55:46: FSMAcquired completed for port 11a/b/g Wireless LAN
Mini PCI Adapter
<clip>

RASTLS.LOG:

<clip>
[2844] 14:55:46:187: EapTlsInvokeIdentityUI
[2844] 14:55:46:187: GetCertInfo
[2844] 14:55:46:187: EapTlsInvokeIdentityUI
[2844] 14:55:46:187: GetCertInfo
[2844] 14:55:46:187: EapTlsInvokeIdentityUI
[2844] 14:55:46:187: GetCertInfo
<clip>

Here is a clip from the Cisco AP log:

<clip>
Jul 14 12:57:19.818: dot11_auth_dot1x_start: in the
dot11_auth_dot1x_start
Jul 14 12:57:19.819: dot11_auth_dot1x_send_id_req_to_client: sending
identity request for xxxx.xxxx.xxxx
Jul 14 12:57:19.819: dot11_auth_dot1x_send_id_req_to_client: Started
timer client_timeout 30 seconds
Jul 14 12:57:19.819: dot11_auth_parse_client_pak: Received EAPOL
packet from xxxx.xxxx.xxxx
Jul 14 12:57:19.819: dot11_auth_dot1x_run_rfsm: Executing
Action(CLIENT_WAIT,EAP_START) for xxxx.xxxx.xxxx
Jul 14 12:57:19.819: dot11_auth_dot1x_send_id_req_to_client: sending
identity request for xxxx.xxxx.xxxx
Jul 14 12:57:19.820: dot11_auth_dot1x_send_id_req_to_client: Started
timer client_timeout 30 seconds
Jul 14 12:57:49.820: dot11_auth_dot1x_run_rfsm: Executing
Action(CLIENT_WAIT,TIMEOUT) for xxxx.xxxx.xxxx
Jul 14 12:57:49.820: dot11_auth_dot1x_send_client_fail: Authentication
failed for xxxx.xxxx.xxxx
Jul 14 12:57:49.820 B: %DOT11-7-AUTH_FAILED: Station 0005.4e46.bcdf
Authentication failed
<clip>


So, the access point just time outs waiting for the answer for the
identity request from the client. We are using WPA-TKIP encryption
with Cisco 1200 series access points. The client is IBM Thinkpad with
Windows XP SP1 installed. Firmwares of both wireless adapter and
access point are up to date.

I would appreciate any help from you guys.. I have struggled with this
problem almost a month now! Thanks!

Add a reply
Sponsored Links
Register or log in to remove.
Ask the community Add a reply
Tom's Hardware > Forum > Wireless Networking > Wireless General Discussions > Problems with EAP-TLS with smart cards
Go to:

There are 1264 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.498 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
They won a badge
Join us in greeting them
How do I win badges?