EAP-TTLS works for MacOS supplicants but not Win10

classic Classic list List threaded Threaded
10 messages Options
| Threaded
Open this post in threaded view
|

EAP-TTLS works for MacOS supplicants but not Win10

Evan Sharp
Hi List,

This is my first message so please advise me of any participation gafs.

I have a working 801.2x wifi termination with Aruba APs binding Google LDAP
users via FreeRADIUS 3.0.21 using EAP-TTLS. It is only successful with
MacOS supplicants though. When I start debugging Windows 10 clients, the
connection fails somewhere.

Comparing debug outputs, the win10 exchange just seems to stop, with no
errors thrown, where the mac flow otherwise continues.

Pastebin of a successful bind (mac) <https://pastebin.com/wfpDxpMH>

Pastebin to a failed bind (win) <https://pastebin.com/BneBgPAN>

Although the users for testing are different, there is no explicit
Auth-reject to tell me that's the issue.

I'd be very grateful for help understanding what's going on!

Evan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TTLS works for MacOS supplicants but not Win10

Alan DeKok-2
On Sep 15, 2020, at 4:42 PM, Evan Sharp <[hidden email]> wrote:\
> This is my first message so please advise me of any participation gafs.

  http://wiki.freeradius.org/list-help

> I have a working 801.2x wifi termination with Aruba APs binding Google LDAP
> users via FreeRADIUS 3.0.21 using EAP-TTLS. It is only successful with
> MacOS supplicants though. When I start debugging Windows 10 clients, the
> connection fails somewhere.
>
> Comparing debug outputs, the win10 exchange just seems to stop, with no
> errors thrown, where the mac flow otherwise continues.

 "it just stops".

  99% of the time it's a certificate issue.  The CA cert used by FreeRADIUS isn't configured on the Windows machine.

> Although the users for testing are different, there is no explicit
> Auth-reject to tell me that's the issue.

  Because FreeRADIUS isn't rejecting the user.  Instead, the Windows system is refusing to talk to FreeRADIUS.

  Configure the certificates, etc. on Windows, and it will work.  There are EAP-TLS guides on the FreeRADIUS Wiki.  They contain information about Windows, and the certificate configuration is largely the same as for EAP-TTLS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TTLS works for MacOS supplicants but not Win10

Evan Sharp
Hi Alan,

Thanks for the quick reply!

> The CA cert used by FreeRADIUS isn't configured on the Windows machine.

Does that cert come pre-configured in MacOS and ChromeOS? These are BYOD
computers so I haven't touched them, but all the Mac clients have been
plug-and-play.

Evan



On Tue, Sep 15, 2020 at 2:12 PM Alan DeKok <[hidden email]>
wrote:

> On Sep 15, 2020, at 4:42 PM, Evan Sharp <
> [hidden email]> wrote:\
> > This is my first message so please advise me of any participation gafs.
>
>   http://wiki.freeradius.org/list-help
>
> > I have a working 801.2x wifi termination with Aruba APs binding Google
> LDAP
> > users via FreeRADIUS 3.0.21 using EAP-TTLS. It is only successful with
> > MacOS supplicants though. When I start debugging Windows 10 clients, the
> > connection fails somewhere.
> >
> > Comparing debug outputs, the win10 exchange just seems to stop, with no
> > errors thrown, where the mac flow otherwise continues.
>
>  "it just stops".
>
>   99% of the time it's a certificate issue.  The CA cert used by
> FreeRADIUS isn't configured on the Windows machine.
>
> > Although the users for testing are different, there is no explicit
> > Auth-reject to tell me that's the issue.
>
>   Because FreeRADIUS isn't rejecting the user.  Instead, the Windows
> system is refusing to talk to FreeRADIUS.
>
>   Configure the certificates, etc. on Windows, and it will work.  There
> are EAP-TLS guides on the FreeRADIUS Wiki.  They contain information about
> Windows, and the certificate configuration is largely the same as for
> EAP-TTLS.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TTLS works for MacOS supplicants but not Win10

Matthew Newton-3
On 15/09/2020 23:49, Evan Sharp wrote:
>> The CA cert used by FreeRADIUS isn't configured on the Windows machine.
>
> Does that cert come pre-configured in MacOS and ChromeOS? These are BYOD
> computers so I haven't touched them, but all the Mac clients have been
> plug-and-play.

It depends on whatever certificate(s) you configured in
raddb/mods-enabled/eap. If it was a commercial CA cert then it's likely
Windows already has it installed. If you generated it from your own CA
yourself then you'll need to install the CA cert in Windows.

Windows is generally a lot more picky about the certificates that it
will accept, hence the difference.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TTLS works for MacOS supplicants but not Win10

Alan DeKok-2
In reply to this post by Evan Sharp
On Sep 15, 2020, at 6:49 PM, Evan Sharp <[hidden email]> wrote:
>> The CA cert used by FreeRADIUS isn't configured on the Windows machine.
>
> Does that cert come pre-configured in MacOS and ChromeOS?

  No.

> These are BYOD
> computers so I haven't touched them, but all the Mac clients have been
> plug-and-play.

  Someone poked something.

  For the last 3-4 years, OSX will *not* allow users to configure TTLS with certificates via the GUI.  Instead, it has to be done via a mobileconfig file, or provisioning tool.

  So if OSX and Chrome "just work", then it's because someone is configuring it.  They require some kind of configuration changes before they "just work".

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TTLS works for MacOS supplicants but not Win10

Evan Sharp
Hi Allan, Matthew, et al.

> So if OSX and Chrome "just work", then it's because someone is
configuring it.

All respect guys, but these are dozens of K-12 student-owned BYODs. They
haven't received any configuration and they all work out of the gate as
operated by a 12 year old. I don't need to be right, but I don't know
enough about what I've configured to understand how it is working; do you
have any other ideas?

It makes sense to me that Win10 is being finicky about a cert, but since
installing one on these student-owned machines is something I want to
avoid, I want to get to the bottom of OSX's success in case it's replicable.

> "it just stops".
> 99% of the time it's a certificate issue.

Did you look at the end of my "failed bind" debug? Is that what this looks
like for sure? Is there any additional logging I can get besides `-X`?

Thanks,
Evan

On Tue, Sep 15, 2020 at 6:56 PM Alan DeKok <[hidden email]>
wrote:

> On Sep 15, 2020, at 6:49 PM, Evan Sharp <
> [hidden email]> wrote:
> >> The CA cert used by FreeRADIUS isn't configured on the Windows machine.
> >
> > Does that cert come pre-configured in MacOS and ChromeOS?
>
>   No.
>
> > These are BYOD
> > computers so I haven't touched them, but all the Mac clients have been
> > plug-and-play.
>
>   Someone poked something.
>
>   For the last 3-4 years, OSX will *not* allow users to configure TTLS
> with certificates via the GUI.  Instead, it has to be done via a
> mobileconfig file, or provisioning tool.
>
>   So if OSX and Chrome "just work", then it's because someone is
> configuring it.  They require some kind of configuration changes before
> they "just work".
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TTLS works for MacOS supplicants but not Win10

Alan DeKok-2
On Sep 16, 2020, at 6:56 PM, Evan Sharp <[hidden email]> wrote:
>
> Hi Allan, Matthew, et al.
>
>> So if OSX and Chrome "just work", then it's because someone is
> configuring it.
>
> All respect guys, but these are dozens of K-12 student-owned BYODs.

  Do they connect to your network using credentials you supply?

https://support.google.com/chrome/a/answer/2634553?hl=en

        • On Chrome OS versions 61–72,  certificates added to an organizational unit are available to both network settings and kiosk apps on devices. On earlier versions, certificates are only available to the network settings on a device.

> They
> haven't received any configuration and they all work out of the gate as
> operated by a 12 year old. I don't need to be right, but I don't know
> enough about what I've configured to understand how it is working; do you
> have any other ideas?

  So far as I'm aware *all* modern operating systems don't allow the user to configure EAP-TTLS or PEAP.  *All* systems refuse to accept even known CAs (i.e. web ones), unless the CA is enabled for EAP.

  I suspect what's happening is that they Chrome devices are pulling the certificate information from your systems.  So someone, somewhere, set it up for your network.

> It makes sense to me that Win10 is being finicky about a cert, but since
> installing one on these student-owned machines is something I want to
> avoid, I want to get to the bottom of OSX's success in case it's replicable.
>
>> "it just stops".
>> 99% of the time it's a certificate issue.
>
> Did you look at the end of my "failed bind" debug?

  Yes... that *is* what I do about 10 times a day.

> Is that what this looks like for sure?

  Yes, I'm not going to change my answer is you ask again.

> Is there any additional logging I can get besides `-X`?

  No amount of additional FreeRADIUS logging will tell you what's going wrong with Windows.

  In fact, if the client keeps trying EAP, the debug output will print out a huge warning, and point you to a Wiki page.  That page describes exactly what's going wrong, and how to fix it.

  Hint: configure Windows correctly.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TTLS works for MacOS supplicants but not Win10

Alan Buxey
In reply to this post by Evan Sharp
hi,

is any prompt to trust the cert coming up on the Windows 10 box?  if
not, it really doesnt like it - the root CA must pass a few
requirements for windows 10 - eg not be SHA1, it must have a CRLDP RL
defined or somesuch too.  regarding deployment - you really should be
looking at a deployment tool so that your config is secure (especially
with EAP-TTLS/PAP stuff as anyone doing a simple MiTM can just then
harvest user details trivially....have you heard of eduroam?  you
might want to check that out as its a free service for academic
institutions but they also provide a nice , easy to use deployment
tool for free 9such things from commercial companies cost quite a bit)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TTLS works for MacOS supplicants but not Win10

Evan Sharp
In reply to this post by Alan DeKok-2
Hi Allan,

Do they connect to your network using credentials you supply?


No. They are using their Google Cloud Identity credentials since freeRADIUS
is binding on Google Secure LDAP.

 So far as I'm aware *all* modern operating systems don't allow the user to
> configure EAP-TTLS or PEAP.  *All* systems refuse to accept even known CAs
> (i.e. web ones), unless the CA is enabled for EAP.


Is it possible that the AP controller is not passing the cert request back
to the supplicant and instead is answering RADIUS with the key I installed?
This would explain how a tunnel is being established without a cert on the
BYOD. Midway in the first passthrough:


   1. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
   the rest of authorize
   2. (0) [eap] = ok


@Alan Buxey, Eduroam is a sledgehammer for my little school. The juice is
not worth the squeeze for me, but thanks for the suggestion.

I do appreciate the ongoing help guys.

Evan

On Wed, Sep 16, 2020 at 5:31 PM Alan DeKok <[hidden email]>
wrote:

> On Sep 16, 2020, at 6:56 PM, Evan Sharp <
> [hidden email]> wrote:
> >
> > Hi Allan, Matthew, et al.
> >
> >> So if OSX and Chrome "just work", then it's because someone is
> > configuring it.
> >
> > All respect guys, but these are dozens of K-12 student-owned BYODs.
>
>   Do they connect to your network using credentials you supply?
>
> https://support.google.com/chrome/a/answer/2634553?hl=en
>
>         • On Chrome OS versions 61–72,  certificates added to an
> organizational unit are available to both network settings and kiosk apps
> on devices. On earlier versions, certificates are only available to the
> network settings on a device.
>
> > They
> > haven't received any configuration and they all work out of the gate as
> > operated by a 12 year old. I don't need to be right, but I don't know
> > enough about what I've configured to understand how it is working; do you
> > have any other ideas?
>
>   So far as I'm aware *all* modern operating systems don't allow the user
> to configure EAP-TTLS or PEAP.  *All* systems refuse to accept even known
> CAs (i.e. web ones), unless the CA is enabled for EAP.
>
>   I suspect what's happening is that they Chrome devices are pulling the
> certificate information from your systems.  So someone, somewhere, set it
> up for your network.
>
> > It makes sense to me that Win10 is being finicky about a cert, but since
> > installing one on these student-owned machines is something I want to
> > avoid, I want to get to the bottom of OSX's success in case it's
> replicable.
> >
> >> "it just stops".
> >> 99% of the time it's a certificate issue.
> >
> > Did you look at the end of my "failed bind" debug?
>
>   Yes... that *is* what I do about 10 times a day.
>
> > Is that what this looks like for sure?
>
>   Yes, I'm not going to change my answer is you ask again.
>
> > Is there any additional logging I can get besides `-X`?
>
>   No amount of additional FreeRADIUS logging will tell you what's going
> wrong with Windows.
>
>   In fact, if the client keeps trying EAP, the debug output will print out
> a huge warning, and point you to a Wiki page.  That page describes exactly
> what's going wrong, and how to fix it.
>
>   Hint: configure Windows correctly.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TTLS works for MacOS supplicants but not Win10

Alan DeKok-2
On Sep 17, 2020, at 3:20 PM, Evan Sharp <[hidden email]> wrote:
> No. They are using their Google Cloud Identity credentials since freeRADIUS
> is binding on Google Secure LDAP.

  *Something* is telling the devices to allow your CA.  This does *not* happen automatically.

> Is it possible that the AP controller is not passing the cert request back
> to the supplicant and instead is answering RADIUS with the key I installed?

  I have no idea what that means.  What "key" you installed?

  The AP doesn't do certs, and doesn't know about them.  It just passes packets back and forth between the end-user device, and the RADIUS server.

> This would explain how a tunnel is being established without a cert on the
> BYOD. Midway in the first passthrough:

  The end user device DOES have a certificate configured.

>   1. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
>   the rest of authorize
>   2. (0) [eap] = ok

  That's just the start of the EAP conversation.  It is LONG before any certificate exchange.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html