Problems with EAP-TLS with smart cards

Discussion in 'Wireless Networking' started by jr, Jul 26, 2004.

  1. jr

    jr Guest

    Greetings!

    I have problems in getting the EAP-TLS with smart card authentication
    to work in our wireless test environment. Our goal is that the client
    computer (laptop, XP with SP1) gets (machine) authenticated when the
    computer starts and after that happens the user authentication with a
    smart card.

    Now, I have successfully managed to do the computer authentication and
    the user authentication (with EAP-TLS) separately but every time I
    check the "Use my smart card" option in Smart card and other
    Certificates Properties in the XP client computer, the computer
    authentication fails. If I change the setting back to use a
    certificate that is located in the certificate store of the user, the
    computer authentication succeeds (user auth not, since the store is
    empty). This seems pretty strange because what I have understood is
    that that option shouldn't have anything to do with computer
    authentication?! Or am
    I missing something here? Is the XP client trying to do computer
    authentication from smart card or what is causing this kind of
    behaviour?

    >From the log files one can see that access point sends identity

    request to the client and then the client calls GetIdentity to find
    out its identity but fails with an error 703.

    Here is the EAPOL.LOG from the client computer when Windows is
    preparing network connections:

    <clip>
    [468] 14:55:46: ProcessReceivedPacket: EAP_Packet
    [468] 14:55:46: ProcessReceivedPacket: EAPOLSTATE_CONNECTING
    [468] 14:55:46: TIMER: Restart PCB Time: 2097148
    [468] 14:55:46: FSMAcquired entered for port 11a/b/g Wireless LAN Mini
    PCI Adapter
    [468] 14:55:46: TIMER: Restart PCB Time: 30
    [468] 14:55:46: ElEapEnd entered
    [468] 14:55:46: ElEapDllEnd called for EAP Index -1
    [468] 14:55:46: ElEapBegin entered
    [468] 14:55:46: ElEapBegin done
    [468] 14:55:46: ElEapWork: EapolPkt created at 00102930
    [468] 14:55:46: ElEapMakeMessage entered
    [468] 14:55:46: ElParseIdentityString: Packet length 5 less than
    minimum 5
    [468] 14:55:46: ElGetIdentity: Userlogged=0, AuthMode=1, Prev Machine
    auth?=0
    [468] 14:55:46: ElGetIdentity: !MD5, <MaxAuth, Machine auth
    [468] 14:55:46: ElGetUserIdentity entered
    [468] 14:55:46: ElGetUserIdentity: Error in calling GetIdentity = 703
    [468] 14:55:46: ElGetUserIdentity completed with error 703
    [468] 14:55:46: ElGetIdentity: ElGetUserIdentity, Machine auth, failed
    with error 703
    [468] 14:55:46: ElEapMakeMessage: Error in ElGetIdentity 703
    [468] 14:55:46: ElEapWork: ElEapMakeMessage returned error 703
    [468] 14:55:46: FSMAcquired: Error in ElEapWork 703
    [468] 14:55:46: FSMAcquired completed for port 11a/b/g Wireless LAN
    Mini PCI Adapter
    <clip>

    RASTLS.LOG:

    <clip>
    [2844] 14:55:46:187: EapTlsInvokeIdentityUI
    [2844] 14:55:46:187: GetCertInfo
    [2844] 14:55:46:187: EapTlsInvokeIdentityUI
    [2844] 14:55:46:187: GetCertInfo
    [2844] 14:55:46:187: EapTlsInvokeIdentityUI
    [2844] 14:55:46:187: GetCertInfo
    <clip>

    Here is a clip from the Cisco AP log:

    <clip>
    Jul 14 12:57:19.818: dot11_auth_dot1x_start: in the
    dot11_auth_dot1x_start
    Jul 14 12:57:19.819: dot11_auth_dot1x_send_id_req_to_client: sending
    identity request for xxxx.xxxx.xxxx
    Jul 14 12:57:19.819: dot11_auth_dot1x_send_id_req_to_client: Started
    timer client_timeout 30 seconds
    Jul 14 12:57:19.819: dot11_auth_parse_client_pak: Received EAPOL
    packet from xxxx.xxxx.xxxx
    Jul 14 12:57:19.819: dot11_auth_dot1x_run_rfsm: Executing
    Action(CLIENT_WAIT,EAP_START) for xxxx.xxxx.xxxx
    Jul 14 12:57:19.819: dot11_auth_dot1x_send_id_req_to_client: sending
    identity request for xxxx.xxxx.xxxx
    Jul 14 12:57:19.820: dot11_auth_dot1x_send_id_req_to_client: Started
    timer client_timeout 30 seconds
    Jul 14 12:57:49.820: dot11_auth_dot1x_run_rfsm: Executing
    Action(CLIENT_WAIT,TIMEOUT) for xxxx.xxxx.xxxx
    Jul 14 12:57:49.820: dot11_auth_dot1x_send_client_fail: Authentication
    failed for xxxx.xxxx.xxxx
    Jul 14 12:57:49.820 B: %DOT11-7-AUTH_FAILED: Station 0005.4e46.bcdf
    Authentication failed
    <clip>


    So, the access point just time outs waiting for the answer for the
    identity request from the client. We are using WPA-TKIP encryption
    with Cisco 1200 series access points. The client is IBM Thinkpad with
    Windows XP SP1 installed. Firmwares of both wireless adapter and
    access point are up to date.

    I would appreciate any help from you guys.. I have struggled with this
    problem almost a month now! Thanks!
     
    jr, Jul 26, 2004
    #1
    1. Advertising

  2. jr

    drewbono

    Joined:
    Jun 23, 2006
    Messages:
    1
    I'm having the same problem. Exactly. Anyone have any other info on what might be causing this?
     
    drewbono, Jun 23, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Robert Irwin

    Does EAP-TLS *NEED* Windows 2003 server?

    Robert Irwin, Jul 7, 2004, in forum: Wireless Networking
    Replies:
    3
    Views:
    5,198
    Wayne Tilton
    Jul 12, 2004
  2. Al Blake

    EAP-TLS & Windows XP SP2 ?

    Al Blake, Sep 30, 2004, in forum: Wireless Networking
    Replies:
    3
    Views:
    10,362
    Al Blake
    Oct 4, 2004
  3. =?Utf-8?B?SmF5?=

    Type of Wireless Access Point needed with EAP-TLS

    =?Utf-8?B?SmF5?=, Mar 30, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    733
    =?Utf-8?B?SmF5?=
    Apr 1, 2005
  4. erha
    Replies:
    0
    Views:
    1,133
  5. Dr Zoidberg

    802.1x EAP-TLS wireless networking - connect before logon

    Dr Zoidberg, Nov 1, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    5,191
    Dr Zoidberg
    Nov 2, 2005
Loading...

Share This Page