No EAP/TLS with XP SP3 since End December
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jan 3 12:31:26 CET 2011
On 01/03/2011 11:09 AM, Alexandros Gougousoudis wrote:
> Alan DeKok schrieb:
>> See if your certificate has expired.
>>
>
> Nope, that was the first I've checked. Server and client-cert are still
> valid. It seems, that no XP client (even some old SP2 clients) can logon
> anymore, Ubuntu can.
>
> Is there some possibility to force a "Login OK" as a Default-Action in
> the "users"-file? That could take out the pressure here.
No. EAP must complete successfully - it is a challenge/response. You
can't just skip to the end of the "response".
To be clear, all windows clients fail? But other clients succeed?
It is possible a windows update has removed the intermediate certificate
from the client(s). IIRC Microsoft have done this in the past, expecting
the intermediate CA to be provided during TLS negotiation. In this case,
you need to have the correct CA (chain) at the FreeRadius side. Have you
got this configured correctly?
It won't help running such an old version of FreeRadius.
More information about the Freeradius-Users
mailing list