Windows-Clients, die keine Netzwerkverbindung über FreeRADIUS und WPA2 / Enterprise herstellen

Ich habe derzeit Probleme, meine Windows-Clients dazu zu bringen, über FreeRADIUS eine Verbindung herzustellen. Ich habe eine Asus RT-AC68U mit Merlin-Firmware und FreeRADIUS von Entware-ng. Meine Nicht-Windows-Clients können problemlos miteinander verbunden werden. Mein Verdacht liegt also in der Art, wie die Netzwerkverbindung in Windows 8/10 eingerichtet ist, oder in der Art, wie FreeRADIUS konfiguriert ist.

Ich folgte den „Einrichten FreeRadius2 durch Entware“ guide hier zu installieren und konfigurieren Freeradius auf meinem Router. Meine Windows-Konfiguration ist hier: Jede Hilfe wäre sehr dankbar. Die Super User-Frage, die meiner Meinung nach am meisten im Zusammenhang mit meiner Abfrage stand, ist, dass Windows keine Verbindung zum Wi-Fi-Zugangspunkt WPA2 von Enterprise WPA2 mit EAP-TTLS-PAP-Authentifizierung unter Verwendung von FreeRADIUS herstellen kann, dies löst jedoch leider mein spezielles Problem nicht.

Die Debug-Ausgabe für den Freeradius-Server lautet ebenfalls wie folgt:

 admin@MERLIN:/tmp/mnt/sda2/entware-ng.arm/etc/freeradius2/sites# radiusd -XX Sun Jan 22 06:40:57 2017 : Info: radiusd: FreeRADIUS Version 2.2.9, for host arm-openwrt-linux-gnu, built on Dec 26 2016 at 19:02:57 Sun Jan 22 06:40:57 2017 : Debug: Server was built with:  Sun Jan 22 06:40:57 2017 : Debug: accounting Sun Jan 22 06:40:57 2017 : Debug: authentication Sun Jan 22 06:40:57 2017 : Debug: WITH_DHCP Sun Jan 22 06:40:57 2017 : Debug: WITH_VMPS Sun Jan 22 06:40:57 2017 : Debug: Server core libs: Sun Jan 22 06:40:57 2017 : Debug: ssl: OpenSSL 1.0.2j 26 Sep 2016 Sun Jan 22 06:40:57 2017 : Info: Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. Sun Jan 22 06:40:57 2017 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Sun Jan 22 06:40:57 2017 : Info: PARTICULAR PURPOSE. Sun Jan 22 06:40:57 2017 : Info: You may redistribute copies of FreeRADIUS under the terms of the Sun Jan 22 06:40:57 2017 : Info: GNU General Public License. Sun Jan 22 06:40:57 2017 : Info: For more information about these matters, see the file named COPYRIGHT. Sun Jan 22 06:40:57 2017 : Info: Starting - reading configuration files ... Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/radiusd.conf Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/clients.conf Sun Jan 22 06:40:57 2017 : Debug: including files in directory /opt/etc/freeradius2/modules/ Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/ldap Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/pap Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/mschap Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/files Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/eap.conf Sun Jan 22 06:40:57 2017 : Debug: including files in directory /opt/etc/freeradius2/sites/ Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/sites/default Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/sites/inner-tunnel Sun Jan 22 06:40:57 2017 : Debug: main { Sun Jan 22 06:40:57 2017 : Debug: allow_core_dumps = no Sun Jan 22 06:40:57 2017 : Debug: } Sun Jan 22 06:40:57 2017 : Debug: including dictionary file /opt/etc/freeradius2/dictionary Sun Jan 22 06:40:57 2017 : Debug: main { Sun Jan 22 06:40:57 2017 : Debug: name = "radiusd" Sun Jan 22 06:40:57 2017 : Debug: prefix = "/opt" Sun Jan 22 06:40:57 2017 : Debug: localstatedir = "/opt/var" Sun Jan 22 06:40:57 2017 : Debug: sbindir = "/opt/sbin" Sun Jan 22 06:40:57 2017 : Debug: logdir = "/opt/var/log" Sun Jan 22 06:40:57 2017 : Debug: run_dir = "/opt/var/run/radius" Sun Jan 22 06:40:57 2017 : Debug: libdir = "/opt/lib/freeradius2" Sun Jan 22 06:40:57 2017 : Debug: radacctdir = "/opt/var/db/radacct" Sun Jan 22 06:40:57 2017 : Debug: hostname_lookups = no Sun Jan 22 06:40:57 2017 : Debug: max_request_time = 15 Sun Jan 22 06:40:57 2017 : Debug: cleanup_delay = 7 Sun Jan 22 06:40:57 2017 : Debug: max_requests = 512 Sun Jan 22 06:40:57 2017 : Debug: pidfile = "/opt/var/run/radius/radiusd.pid" Sun Jan 22 06:40:57 2017 : Debug: checkrad = "/opt/sbin/checkrad" Sun Jan 22 06:40:57 2017 : Debug: debug_level = 0 Sun Jan 22 06:40:57 2017 : Debug: proxy_requests = no Sun Jan 22 06:40:57 2017 : Debug: log { Sun Jan 22 06:40:57 2017 : Debug: stripped_names = no Sun Jan 22 06:40:57 2017 : Debug: auth = no Sun Jan 22 06:40:57 2017 : Debug: auth_badpass = no Sun Jan 22 06:40:57 2017 : Debug: auth_goodpass = no Sun Jan 22 06:40:57 2017 : Debug: } Sun Jan 22 06:40:57 2017 : Debug: security { Sun Jan 22 06:40:57 2017 : Debug: max_attributes = 200 Sun Jan 22 06:40:57 2017 : Debug: reject_delay = 5 Sun Jan 22 06:40:57 2017 : Debug: status_server = no Sun Jan 22 06:40:57 2017 : Debug: } Sun Jan 22 06:40:57 2017 : Debug: } Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Realms and Home Servers #### Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Clients #### Sun Jan 22 06:40:57 2017 : Debug: client 192.168.1.0/28 { Sun Jan 22 06:40:57 2017 : Debug: ipaddr = 192.168.1.1 Sun Jan 22 06:40:57 2017 : Debug: require_message_authenticator = yes Sun Jan 22 06:40:57 2017 : Debug: secret = "secretsecretsecret" Sun Jan 22 06:40:57 2017 : Debug: nastype = "other" Sun Jan 22 06:40:57 2017 : Debug: } Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Instantiating modules #### Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Virtual Servers #### Sun Jan 22 06:40:57 2017 : Debug: server { # from file /opt/etc/freeradius2/radiusd.conf Sun Jan 22 06:40:57 2017 : Debug: modules { Sun Jan 22 06:40:57 2017 : Debug: Module: Checking authenticate {...} for more modules to load Sun Jan 22 06:40:57 2017 : Debug: (Loaded rlm_mschap, checking if it's valid) Sun Jan 22 06:40:57 2017 : Debug: Module: Linked to module rlm_mschap Sun Jan 22 06:40:57 2017 : Debug: Module: Instantiating module "mschap" from file /opt/etc/freeradius2/modules/mschap Sun Jan 22 06:40:57 2017 : Debug: mschap { Sun Jan 22 06:40:57 2017 : Debug: use_mppe = yes Sun Jan 22 06:40:57 2017 : Debug: require_encryption = no Sun Jan 22 06:40:57 2017 : Debug: require_strong = no Sun Jan 22 06:40:57 2017 : Debug: with_ntdomain_hack = no Sun Jan 22 06:40:57 2017 : Debug: allow_retry = yes Sun Jan 22 06:40:57 2017 : Debug: } Sun Jan 22 06:40:57 2017 : Debug: (Loaded rlm_eap, checking if it's valid) Sun Jan 22 06:40:57 2017 : Debug: Module: Linked to module rlm_eap Sun Jan 22 06:40:57 2017 : Debug: Module: Instantiating module "eap" from file /opt/etc/freeradius2/eap.conf Sun Jan 22 06:40:57 2017 : Debug: eap { Sun Jan 22 06:40:57 2017 : Debug: default_eap_type = "ttls" Sun Jan 22 06:40:57 2017 : Debug: timer_expire = 60 Sun Jan 22 06:40:57 2017 : Debug: ignore_unknown_eap_types = no Sun Jan 22 06:40:57 2017 : Debug: cisco_accounting_username_bug = no Sun Jan 22 06:40:57 2017 : Debug: max_sessions = 4096 Sun Jan 22 06:40:57 2017 : Debug: } Sun Jan 22 06:40:57 2017 : Debug: Module: Linked to sub-module rlm_eap_tls Sun Jan 22 06:40:57 2017 : Debug: Module: Instantiating eap-tls Sun Jan 22 06:40:57 2017 : Debug: tls { Sun Jan 22 06:40:57 2017 : Debug: rsa_key_exchange = no Sun Jan 22 06:40:57 2017 : Debug: dh_key_exchange = yes Sun Jan 22 06:40:57 2017 : Debug: rsa_key_length = 512 Sun Jan 22 06:40:57 2017 : Debug: dh_key_length = 512 Sun Jan 22 06:40:57 2017 : Debug: verify_depth = 0 Sun Jan 22 06:40:57 2017 : Debug: pem_file_type = yes Sun Jan 22 06:40:57 2017 : Debug: private_key_file = "/opt/etc/freeradius2/certs/ec-server_key.pem" Sun Jan 22 06:40:57 2017 : Debug: certificate_file = "/opt/etc/freeradius2/certs/ec-server_cert.pem" Sun Jan 22 06:40:57 2017 : Debug: private_key_password = "password" Sun Jan 22 06:40:57 2017 : Debug: dh_file = "/opt/etc/freeradius2/certs/dh" Sun Jan 22 06:40:57 2017 : Debug: random_file = "/dev/urandom" Sun Jan 22 06:40:57 2017 : Debug: fragment_size = 1024 Sun Jan 22 06:40:57 2017 : Debug: include_length = yes Sun Jan 22 06:40:57 2017 : Debug: check_crl = no Sun Jan 22 06:40:57 2017 : Debug: check_all_crl = no Sun Jan 22 06:40:57 2017 : Debug: cipher_list = "TLSv1:ECDHE-ECDSA-AES256-SHA" Sun Jan 22 06:40:57 2017 : Debug: check_cert_issuer = "/C=US/ST=NY/L=New York/O=Merlin/OU=IT/CN=admin/emailAddress=admin@admin.com" Sun Jan 22 06:40:57 2017 : Debug: ecdh_curve = "secp521r1" Sun Jan 22 06:40:57 2017 : Debug: } Sun Jan 22 06:40:59 2017 : Debug: Module: Linked to sub-module rlm_eap_ttls Sun Jan 22 06:40:59 2017 : Debug: Module: Instantiating eap-ttls Sun Jan 22 06:40:59 2017 : Debug: ttls { Sun Jan 22 06:40:59 2017 : Debug: default_eap_type = "md5" Sun Jan 22 06:40:59 2017 : Debug: copy_request_to_tunnel = no Sun Jan 22 06:40:59 2017 : Debug: use_tunneled_reply = yes Sun Jan 22 06:40:59 2017 : Debug: virtual_server = "inner-tunnel" Sun Jan 22 06:40:59 2017 : Debug: include_length = yes Sun Jan 22 06:40:59 2017 : Debug: } Sun Jan 22 06:40:59 2017 : Debug: Module: Checking authorize {...} for more modules to load Sun Jan 22 06:40:59 2017 : Debug: } # modules Sun Jan 22 06:40:59 2017 : Debug: } # server Sun Jan 22 06:40:59 2017 : Debug: server inner-tunnel { # from file /opt/etc/freeradius2/sites/inner-tunnel Sun Jan 22 06:40:59 2017 : Debug: modules { Sun Jan 22 06:40:59 2017 : Debug: Module: Checking authenticate {...} for more modules to load Sun Jan 22 06:40:59 2017 : Debug: (Loaded rlm_pap, checking if it's valid) Sun Jan 22 06:40:59 2017 : Debug: Module: Linked to module rlm_pap Sun Jan 22 06:40:59 2017 : Debug: Module: Instantiating module "pap" from file /opt/etc/freeradius2/modules/pap Sun Jan 22 06:40:59 2017 : Debug: pap { Sun Jan 22 06:40:59 2017 : Debug: encryption_scheme = "auto" Sun Jan 22 06:40:59 2017 : Debug: auto_header = yes Sun Jan 22 06:40:59 2017 : Debug: } Sun Jan 22 06:40:59 2017 : Debug: Module: Checking authorize {...} for more modules to load Sun Jan 22 06:40:59 2017 : Debug: (Loaded rlm_files, checking if it's valid) Sun Jan 22 06:40:59 2017 : Debug: Module: Linked to module rlm_files Sun Jan 22 06:40:59 2017 : Debug: Module: Instantiating module "files" from file /opt/etc/freeradius2/modules/files Sun Jan 22 06:40:59 2017 : Debug: files { Sun Jan 22 06:40:59 2017 : Debug: usersfile = "/opt/etc/freeradius2/users" Sun Jan 22 06:40:59 2017 : Debug: compat = "no" Sun Jan 22 06:40:59 2017 : Debug: } Sun Jan 22 06:40:59 2017 : Debug: reading pairlist file /opt/etc/freeradius2/users Sun Jan 22 06:40:59 2017 : Debug: } # modules Sun Jan 22 06:40:59 2017 : Debug: } # server Sun Jan 22 06:40:59 2017 : Debug: radiusd: #### Opening IP addresses and Ports #### Sun Jan 22 06:40:59 2017 : Debug: listen { Sun Jan 22 06:40:59 2017 : Debug: type = "auth" Sun Jan 22 06:40:59 2017 : Debug: ipaddr = 192.168.1.1 Sun Jan 22 06:40:59 2017 : Debug: port = 1111 Sun Jan 22 06:40:59 2017 : Debug: } Sun Jan 22 06:40:59 2017 : Debug: listen { Sun Jan 22 06:40:59 2017 : Debug: type = "auth" Sun Jan 22 06:40:59 2017 : Debug: ipaddr = 192.168.1.1 Sun Jan 22 06:40:59 2017 : Debug: port = 11111 Sun Jan 22 06:40:59 2017 : Debug: } Sun Jan 22 06:40:59 2017 : Debug: Listening on authentication address 192.168.1.1 port 1111 Sun Jan 22 06:40:59 2017 : Debug: Listening on authentication address 192.168.1.1 port 11111 as server inner-tunnel Sun Jan 22 06:40:59 2017 : Info: Ready to process requests.  Sun Jan 22 06:39:05 2017 : Info: ++[eap] = handled Sun Jan 22 06:39:05 2017 : Info: +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 37394 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd3ae25a1d3ad30d9fc8f19efc6ae34d4 Sun Jan 22 06:39:05 2017 : Info: Finished request 0. Sun Jan 22 06:39:05 2017 : Debug: Going to the next request Sun Jan 22 06:39:05 2017 : Debug: Waking up in 6.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 37394, id=0, length=296 Sun Jan 22 06:39:05 2017 : Info: Cleaning up request 0 ID 0 with timestamp +33 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "382c4a9c3c98" Calling-Station-Id = "7c7a91882d77" NAS-Identifier = "382c4a9c3c98" NAS-Port = 82 Framed-MTU = 1400 State = 0xd3ae25a1d3ad30d9fc8f19efc6ae34d4 NAS-Port-Type = Wireless-802.11 EAP-Message = 018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000 Message-Authenticator = 0x1e96a1dba89221e13e437285a0ddb5a3 Sun Jan 22 06:39:05 2017 : Info: # Executing section authorize from file /opt/etc/freeradius2/sites/default Sun Jan 22 06:39:05 2017 : Info: +group authorize { Sun Jan 22 06:39:05 2017 : Info: ++[mschap] = noop Sun Jan 22 06:39:05 2017 : Info: [eap] EAP packet type response id 3 length 161 Sun Jan 22 06:39:05 2017 : Info: [eap] Continuing tunnel setup. Sun Jan 22 06:39:05 2017 : Info: ++[eap] = ok Sun Jan 22 06:39:05 2017 : Info: +} # group authorize = ok Sun Jan 22 06:39:05 2017 : Info: Found Auth-Type = EAP Sun Jan 22 06:39:05 2017 : Info: # Executing group from file /opt/etc/freeradius2/sites/default Sun Jan 22 06:39:05 2017 : Info: +group authenticate { Sun Jan 22 06:39:05 2017 : Info: [eap] Request found, released from the list Sun Jan 22 06:39:05 2017 : Info: [eap] EAP/ttls Sun Jan 22 06:39:05 2017 : Info: [eap] processing type ttls Sun Jan 22 06:39:05 2017 : Info: [ttls] Authenticate Sun Jan 22 06:39:05 2017 : Info: [ttls] processing EAP-TLS Sun Jan 22 06:39:05 2017 : Debug: TLS Length 151 Sun Jan 22 06:39:05 2017 : Info: [ttls] Length Included Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_verify returned 11  Sun Jan 22 06:39:05 2017 : Info: [ttls] (other): before/accept initialization Sun Jan 22 06:39:05 2017 : Info: [ttls] TLS_accept: before/accept initialization Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0005]  Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0092]  Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0005]  Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0002]  Sun Jan 22 06:39:05 2017 : Error: TLS Alert write:fatal:handshake failure Sun Jan 22 06:39:05 2017 : Error: TLS_accept: error in error Sun Jan 22 06:39:05 2017 : Error: TLS_accept: error in error Sun Jan 22 06:39:05 2017 : Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193) Sun Jan 22 06:39:05 2017 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Sun Jan 22 06:39:05 2017 : Debug: TLS receive handshake failed during operation Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_process returned 4  Sun Jan 22 06:39:05 2017 : Info: [eap] Handler failed in EAP/ttls Sun Jan 22 06:39:05 2017 : Info: [eap] Failed in EAP select Sun Jan 22 06:39:05 2017 : Info: ++[eap] = invalid Sun Jan 22 06:39:05 2017 : Info: +} # group authenticate = invalid Sun Jan 22 06:39:05 2017 : Info: Failed to authenticate the user. Sun Jan 22 06:39:05 2017 : Info: Using Post-Auth-Type Reject Sun Jan 22 06:39:05 2017 : Info: WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sun Jan 22 06:39:05 2017 : Info: Delaying reject of request 1 for 5 seconds Sun Jan 22 06:39:05 2017 : Debug: Going to the next request Sun Jan 22 06:39:05 2017 : Debug: Waking up in 0.9 seconds. Sun Jan 22 06:39:06 2017 : Debug: Waking up in 3.9 seconds. ^C