Authentication issues with Win7 and WPA/WPA2 Enterprise
Gary Gatten
Ggatten at waddell.com
Wed May 18 22:41:18 CEST 2011
Initial test results passing PEAP et al to FR (vs. Aruba terminating PEAP) and "proxying" MSCHAP APPEAR to work well. Testing is by no means 100% complete, but so far so good. Scenarios that used to result in a reject are now working as expected. I had an initial problem 'cause I installed this to /devel/ to test with and I mucked something up and many files and dirs ended up directly unders /devel instead of for instance /devel/raddb/. I created raddb and copied certs there and it was more happy.
FWIW: We are NOT using client certs at this time, we are using the PEAP/MSCHAPv2 and "use my windows credentials" option.
Thanks!
Gary
-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Gary Gatten
Sent: Wednesday, May 18, 2011 12:41 PM
To: 'freeradius-users at lists.freeradius.org'
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x?
We will be testing passing the entire *eap session to FR this afternoon.
----- Original Message -----
From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
Sent: Wednesday, May 18, 2011 12:29 PM
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:10, Gary Gatten wrote:
> I would LOVE if W7 just worked! People here are blaming FR and I'm
> trying to convince them it has nothing to do with it, but since the
> MSCHAP challenges / responses are hashed I can't PROVE it to them.
As per previous posts:
Your Aruba wireless equipment is:
a. Terminating the outer EAP-PEAP
b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2
I strongly suspect this will be causing the problems you are having, and
I even suspect I know how - I think it's probably clients typing in
their username in mIxEd-CaSe, which will cause cryptographich (hash)
mismatches at client and server without careful preservation of the EAP
payload.
As per Neal Garber's post of 10th May, even FreeRADIUS had problems with
this prior to 2.1.10
Are you / have you been able to:
1. stop terminating the PEAP on the Aruba
2. upgrade to FreeRADIUS 2.1.10
?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
More information about the Freeradius-Users
mailing list