Win 7 IKEv2+PEAP = "no NPS server"?
Stefan Winter
stefan.winter at restena.lu
Thu Apr 8 15:27:45 CEST 2010
Hello,
I wonder if anyone else has come across this already... Google is not
very helpful here.
We're setting up a VPN Server (strongswan) with Windows 7 in IKEv2 mode.
The client side is supposed to authenticate with PEAP(*) to FreeRADIUS.
That works pretty well, but on the first PEAP connection to the server,
there's a big fat warning on the Win 7 UI: "You're connecting to a
server which is not a valid NPS Server for this domain. You are strongly
discouraged from continuing... bla..." If you click Connect, *everything
works*. Now I'm wondering what needs to be done to make that useless
warning go away... Maybe the FreeRADIUS server certificate needs yet
another Extended Key Usage or so? I didn't really find helpful
documentation.
I wonder why it's Win 7's business anyway: of course the other end is
not a NPS server. It's FreeRADIUS. But why would an EAP client consider
it its own business to warn about a vendor discrepancy on the RADIUS far
end?
Greetings,
Stefan Winter
(*) If you just select EAP-MSCHAPv2 (no inner tunnel), the end result at
the FR side is a crippled User-Name (which makes it impossible to auth
users). Whether it's Win 7 or the strongswan EAP -> RADIUS conversion
that gets it wrong, I don't know.
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100408/19b97fe7/attachment.pgp>
More information about the Freeradius-Users
mailing list