Windows Vista doing PEAP
pribeiro-bulk at net.ipl.pt
Tue Nov 28 17:40:40 CET 2006
The "Radiator" people are talking about problems with SSL empty
fragments handing in Windows Vista ...
I've tried to compile FreeRADIUS with
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same,
clients can't connect!
> # Enabled SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS in PEAP TLS, to work
> around a problem with Vista Beta 2 clients, where the extra empty
> fragment (sent as a security measure by OpenSSL) confuses the Vista
> PEAP supplicant. See http://www.openssl.org/~bodo/tls-cbc.txt for
> reasons behind the empty fragments. Reported by David Spindler.
Wednesday, October 4, 2006, 4:14:25 PM, you wrote:
> "King, Michael" <MKing at bridgew.edu> wrote:
>> So we've been using FreeRADIUS talking to ActiveDirectory to
>> authenticate our WinXP clients (Over 2000) for over a year now.
>> Along comes Vista. Of COURSE it doesn't work. Microsoft changed
>> something, and it broke a working config. Arrg.
> Try: http://www.striker.ottawa.on.ca/~aland/vista.patch
> You'll have to re-build & re-install the EAP module (you don't need
> to touch the rest of the server). It won't help, but it will print
> out a little more information. We'll probably have to do a few cycles
> before it's tracked down, though.
>> My (amatuer) analyis, (Aka my gut) is that Vista is Doing something in
>> TLS, not PEAP. (I don't see my mschap module fire).
> The TLS tunnel is set up, BUT vista is doing something slightly
> different that confuses FreeRADIUS, so FreeRADIUS doesn't continue the
> EAP conversation.
> Alan DeKok.
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> List info/subscribe/unsubscribe? See
IPLNet - Rede de dados e comunicações
Instituto Politécnico de Lisboa (IPL)
Mail: mailto:pribeiro at net.ipl.pt
VoIP: sip:pribeiro at net.ipl.pt
More information about the Freeradius-Users