On Mar 6, 2025, at 3:48 PM, Sam Yun <sam....@microsoft.com> wrote: > Question for y'all, looking at the matrix: > > Windows + hostapd + FreeRADIUS + tls[machine],tls[user] - note says > "Supplicant only supports MSK for EAP-TLS, User authentication fails as QEMU > unable to emulate usable Smartcard (Supplicant popup awaiting suitable user > Smartcard credential); Supplicant sends null identity (indicating no > credentials available?)". > > Is there a reason y'all are using an emulated smart card (which apparently > doesn't work)? Why not install a TLS cert on the Windows client and update > the profile to use that cert(s)?
It's a matter of time / effort, and automation. It's on the list. > We do run interop testing between Windows + Clearpass, where we do > tls[machine], tls[user] and Windows + ISE, where we do tls[user], > tls[machine]. So I can confirm those two combinations do work in production > today. When Windows sends the Crypto-Binding TLV, it only includes the MSK Compound MAC. The EMSK Compound MAC field is always zero. This means that the server implementations never had a chance to verify their calculations of the EMSK Compound MAC. Each server implementation has used a different method to calculate the EMSK Compound MAC. The result is that we cannot change the definition of the EMSK Compound MAC. Whatever decision we make, the result will work only for one server, and will cause authentication to fail on all other servers which are currently running in production systems. The only way to not break shipping code is to declare that TEAPv1 only uses the MSK Compound MAC. We know that this works for all public code. We can then define TEAPv2, with a new method for calculating the EMSK Compound MAC. Servers implementing TEAPv2 will be able to negotiate down to TEAPv1. Where supplicants implement TEAPv2, we can do testing before we issue a TEAPv2 document. And we can do testing before we ship that code in production environments. No one will be required to upgrade to TEAPv2, but people who do upgrade will be able to use the EMSK Compound MAC. Alan DeKok. _______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org
