Univention Bugzilla – Bug 35516
Client authentication not possible
Last modified: 2014-11-07 15:38:49 CET
2014072821000325: Pre domain logon client authentication doesn't work. It does not work for win7 and win8 (I didn't test win xp). The log files show this for win8: Tue Jul 29 15:48:56 2014 : Auth: Login incorrect: [host/win8.radius.tim/<via Auth-Type = EAP>] (from client FOO port 0 cli 00-22-FB-54-33-BC) Tue Jul 29 15:49:40 2014 : Auth: Login incorrect (mschap: External script says Logon failure (0xc000006d)): [host/win8.radius.tim/<via Auth-Type = EAP>] (from client FOO port 0 via TLS t unnel) root@master:~# univention-radius-check-access --username=win8$ --station-id=00-22-FB-54-33-BC | grep ALLOWED Thus access for user is ALLOWED. Thus access for station is ALLOWED. Thus access is ALLOWED. and this for win7: Wed Jul 30 10:09:36 2014 : Error: TLS Alert read:fatal:unknown CA Wed Jul 30 10:09:36 2014 : Error: TLS_accept: failed in SSLv3 read client certificate A Wed Jul 30 10:09:36 2014 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Wed Jul 30 10:09:36 2014 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Wed Jul 30 10:09:36 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [host/WIN7.radius.tim/<via Auth-Type = EAP>] (from client FOO port 0 cli 00-21-6A-74-12-82) root@master:~# univention-radius-check-access --username=win7$ --station-id=00-21-6A-74-12-82 | grep ALLOWED Thus access for user is ALLOWED. Thus access for station is ALLOWED. Thus access is ALLOWED. root@master:~# ntlm_auth --request-nt-key --domain=radius --username=win8$ --password=univention NT_STATUS_OK: Success (0x0) root@master:~# ntlm_auth --request-nt-key --domain=radius --username=win7$ --password=univention NT_STATUS_OK: Success (0x0) I set the machine passwords to "univention" after my basic tests, to be able to test ntlm by hand, to be sure.
My test environment, master, wlan ap, two laptops (win7 and win8) still exists and is usable for further analysis.
When using an AD (Samba4) domain client authentication uses username field to transfer the hostname in the following format host/client.example.com instead of the "old" format client$ . Thus the computer can not be found by the current code.
Created attachment 6032 [details] Patch for networkaccess.py Works in a testing environment with attatched Patch
Package is rebuilt with the patch in errata3.2-3 and ucs_4.0-0. Advisory: 2014-10-29-univention-radius.yaml
authentication succesful with windows client on ucs 3.2-3 and 4.0-0 server with radius installed
http://errata.univention.de/ucs/3.2/239.html