PEAP/MSCHAPv2 failing with Windows 7

Gary Gatten Ggatten at waddell.com
Tue May 10 14:15:56 CEST 2011 

The same FR instance works perfectly using the same Aruba controller and user creds if the client OS is XP.  As noted, everything also works with Windows 7 if you don't select "use windows login info".

----- Original Message -----
From: ironrake at yahoo.com [mailto:ironrake at yahoo.com]
Sent: Tuesday, May 10, 2011 06:40 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: PEAP/MSCHAPv2 failing with Windows 7

Check some basic stuff too. Make sure your radius user can run ntlm_auth.
Sent from Verizon Wireless

-----Original Message-----
From: Phil Mayers <p.mayers at imperial.ac.uk>
Sender: freeradius-users-bounces+ironrake=yahoo.com at lists.freeradius.org
Date: Tue, 10 May 2011 09:55:54 
To: <freeradius-users at lists.freeradius.org>
Reply-To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: PEAP/MSCHAPv2 failing with Windows 7

On 05/09/2011 10:55 PM, Gary Gatten wrote:

>
> Exec-Program output: Logon failure (0xc000006d)
>
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
>
> Exec-Program: returned: 1
>
> [mschap] External script failed.
>
> [mschap] FAILED: MS-CHAP2-Response is incorrect
>
> ++[mschap] returns reject

You've trimmed the debug output, so we can't see what the problem is. 
Don't do that.

> In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use
> my windows logon name and password” and instead enter the credentials
> manually it works.

Are the machines domain members?

> I should note, it appears the Aruba gear is terminating the PEAP – FR
> only sees an MSCHAP request.

DEFINITELY don't do that!

Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

More information about the Freeradius-Users mailing list