hostapd on FreeBSD + EAP-TLS + WindowsXP/SP2 -- problems.

Bryan Kadzban bryan at kadzban.is-a-geek.net
Thu May 11 12:45:21 EDT 2006


On Thu, May 11, 2006 at 04:04:30PM +0400, Lev A. Serebryakov wrote:
> I've installed CA certificate and client certificate to WindowsXP. I 
> want to use computer authentication, not user one, so my `commonName' is 
> equal to FQDN of client computer.

Is the computer's cert (with its private key) in the machine store, or
the user store?

>    And WindowsXP/SP2 shows "Wait for network..." progress bar for about 
> 3 minutes and fails to connect!

How does it fail?  Does it complain about "couldn't find a certificate"
or something like that?

If so, you need to set a registry key so that it always tries to do
machine authentication.  (When you set up a wireless network and try to
connect to it there (instead of at boot time), it tries to log onto the
wireless as the logged-on user, not the machine.)

See, for instance:

http://technet2.microsoft.com/WindowsServer/en/Library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true

which mentions the registry key:

HKLM\Software\Microsoft\EAPOL\Parameters\General\Global

and says to set the DWORD value named "AuthMode" to 2 to get XP to use
the machine credentials only.  There's also a SupplicantMode value that
controls whether the EAPOL-Start frame is transmitted; I've never had to
set that value to anything to get it to work.

Note that if you do this, the cert must be in the machine's store, as
well.  (You've probably already set up an MMC for the certificates
snap-in; just double-check that it's looking at the machine store, not
your current user's store.  You'll have to be an admin to run that MMC
in that mode.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060511/ae9470ef/attachment.pgp 


More information about the HostAP mailing list