Authentication issues with Win7 and WPA/WPA2 Enterprise
Gary Gatten
Ggatten at waddell.com
Wed May 18 17:50:01 CEST 2011
I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other "basic" stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks.
The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails!
Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this...
G
-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Simon L.
Sent: Wednesday, May 18, 2011 10:27 AM
To: FreeRadius users mailing list
Subject: Authentication issues with Win7 and WPA/WPA2 Enterprise
Dear Users,
I hope you will be patient with me, its my first time with freeradius.
I have problems to authenticate Windows 7 Clients with freeradius.
Using WPA2-Enterprise results in Access-Rejects after one Request.
Using WPA-Enterprise results in about nine different Access-Challanges
and one final Access-Accept - that cant be right.
I have set up a testing scenario with the local test user bob. If local
authentication works properly i want to proxy all requests without EAP
to another freeradius server. I will have questions to that later :)
radtest from localhost an remotehost succeeded.
Setting:
Win7_Client<-----WLAN----->WAP LinksysWRT54gl<------MPLS-Network over
PPPoE----------->FreeRADIUS_proxy(<---------------------------->FreeRADIUS_main)
Windows 7 dd-wrt v24 SP2
Ubuntu Server 10.4.2,
freeradius 2.1.10 generic
10.73.108.254
internal:
10.0.73.1 external: 213.x.x.x
I dont get a clue if the Problem is Windows, Certificates, Network oder
simply misconfigured freeradius.
certificates:
- i build the certs with and without that windows extension OID in
server.cnf with make from ../raddb/certs
- 2048 bit
Windows 7:
- installed ca.der as root cert in win7 and configured it for the
desired WiFi network
- for my eyes no difference in debug logs if validate server cert or not.
- unchecked using windows user or domain for auth
- EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap -
tls right?
WAP:
- WPA2 Enterprise with AES no accept packet possible until now
- WPA Enterprise with AES results in that 9-times Challenges until accept
freeRADIUS:
- compiled with installed openSSL dev lib
- default config as it comes out of the box, exept: added user bob with
cleartext password in users, added the WAP as client in clients.conf,
changed default_eap_type = "peap" and private_key_password =
"MYSECRET_FROM_SERVER_CERT" in eap.conf
configuration and stuff pls look at attached debug.log from running
radiusd -X
debug.log contains the output of radiusd -X with Access-Requests over
WPA-Enterprise.
I hope you got a hint for me.
Thanks !
Simon
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
More information about the Freeradius-Users
mailing list