802.1x on Active Directory: no errors in debug but auth fails
Domenico Viggiani
dviggiani at tiscali.it
Mon Feb 7 14:52:24 CET 2011
> > > ..this is where it ends - an access challenge never gets responded
> to.
> > > do you have the
> > > CA of the RADIUS server installed on the client?
> > No but I disabled "Validate Server Certificate" on the client. Is it
> not
> > enough?
>
> add the CA
Done but same problem. I read certs/README file with MANY other caveats
about Windows:
- Windows requires certain OID's in the certificates. If it doesn't
see them, it will stop doing EAP. The most visibile effect is
that the client starts EAP, gets a few Access-Challenge packets,
and then a little while later re-starts EAP. If this happens, see
the FAQ, and the comments in raddb/eap.conf for how to fix it.
- Windows requires the root certificates to be on the client PC.
If it doesn't have them, you will see the same issue as above.
- Windows XP post SP2 has a bug where it has problems with
certificate chains. i.e. if the server certificate is an
intermediate one, and not a root one, then authentication will
silently fail, as above.
I'm sorry to blamed Freeradius.
I'm forced to abandone this project and resort to M$'NAP server :(
Thanks
--
DV
More information about the Freeradius-Users
mailing list