K.C.Rao
2009-02-25 11:57:01 UTC
Hi,
Problem description:
I am running IAS on Windows Server 2003 SP2. I am trying to use
PEAPv0/EAP-MSCHAPv2 with the TLS cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. I
am using the Open Source supplicant, wpa_supplicant. We are having to use TLS
v1.0. I can’t get the authentication to work with IAS. But everything works
fine with Cisco ACS, using perfectly the same supplicant setup.
When I tried to authenticate with IAS using some user name and password, and
an older cipher suite TLS_RSA_WITH_RC4_SHA, the authentication happened
successfully. However, when I tried to authenticate with the very same
username and password, but the newer TLS_RSA_WITH_AES_128_CBC_SHA suite, IAS
complained that the username and/or password is incorrect. I found that kind
of strange, since everything else everywhere, except the ciphersuite, was the
same in both situations. I know, because I checked and modified the source
code of wpa_supplicant myself, and also checked the TLS ClientHello going out
in a sniffer.
Why would the username/password be accepted in one case, and not in the
other? After all the cipher suite used shouldn’t alter the user
name/password ...
Anyway, upon digging a little further, I got to know that Win2003 does not
support TLS_RSA_WITH_AES_128_CBC_SHA by default. MS has released a hotfix to
address this:
http://support.microsoft.com/kb/948963
The description basically says don’t use this hotfix unless you absolutely
require it. Wait for a proper update. That was on July 14, 2008. I searched
among the updates, but didn’t see any update that seemed to include the fix
(hope I searched properly). In anycase, we did a complete update of the
server, and the situation didn’t change. It is possible that the update has
been applied, but we are doing something else wrong. I did check in the
Schannel entries in the registry – there was no AES 128 bit entry there. That
kind of suggests that the update hasn’t come it – but you never know.
Questions:
1) Is there an IAS setting to enable use of TLS_RSA_WITH_AES_128_CBC_SHA? I
searched, but couldn’t find any.
2) Is there a proper Microsoft update to add TLS_RSA_WITH_AES_128_CBC_SHA to
Win2003? I don’t know how we can miss it if we do a complete update, but just
to be on the safer side, since I don’t see any registry evidence.
Thanks!
Regds,
K.C.Rao
Problem description:
I am running IAS on Windows Server 2003 SP2. I am trying to use
PEAPv0/EAP-MSCHAPv2 with the TLS cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. I
am using the Open Source supplicant, wpa_supplicant. We are having to use TLS
v1.0. I can’t get the authentication to work with IAS. But everything works
fine with Cisco ACS, using perfectly the same supplicant setup.
When I tried to authenticate with IAS using some user name and password, and
an older cipher suite TLS_RSA_WITH_RC4_SHA, the authentication happened
successfully. However, when I tried to authenticate with the very same
username and password, but the newer TLS_RSA_WITH_AES_128_CBC_SHA suite, IAS
complained that the username and/or password is incorrect. I found that kind
of strange, since everything else everywhere, except the ciphersuite, was the
same in both situations. I know, because I checked and modified the source
code of wpa_supplicant myself, and also checked the TLS ClientHello going out
in a sniffer.
Why would the username/password be accepted in one case, and not in the
other? After all the cipher suite used shouldn’t alter the user
name/password ...
Anyway, upon digging a little further, I got to know that Win2003 does not
support TLS_RSA_WITH_AES_128_CBC_SHA by default. MS has released a hotfix to
address this:
http://support.microsoft.com/kb/948963
The description basically says don’t use this hotfix unless you absolutely
require it. Wait for a proper update. That was on July 14, 2008. I searched
among the updates, but didn’t see any update that seemed to include the fix
(hope I searched properly). In anycase, we did a complete update of the
server, and the situation didn’t change. It is possible that the update has
been applied, but we are doing something else wrong. I did check in the
Schannel entries in the registry – there was no AES 128 bit entry there. That
kind of suggests that the update hasn’t come it – but you never know.
Questions:
1) Is there an IAS setting to enable use of TLS_RSA_WITH_AES_128_CBC_SHA? I
searched, but couldn’t find any.
2) Is there a proper Microsoft update to add TLS_RSA_WITH_AES_128_CBC_SHA to
Win2003? I don’t know how we can miss it if we do a complete update, but just
to be on the safer side, since I don’t see any registry evidence.
Thanks!
Regds,
K.C.Rao