Authentication issues with Win7 and WPA/WPA2 Enterprise

Thu May 19 14:09:52 CEST 2011

Thanks for answers!

Phil Mayers schrieb:

> > On 18/05/11 16:26, Simon L. wrote:
> >
>   
>> >> Using WPA2-Enterprise results in Access-Rejects after one Request.
>>     
> >
> > That is not normal. WPA2 should be the same as WPA at the radius level.
> >
> >
>   
I'll give it another try this evening.

>> >> Using WPA-Enterprise results in about nine different Access-Challanges
>> >> and one final Access-Accept - that cant be right.
>>     
> >
> > That is normal. EAP exchanges are usually 9/10 request/challenge pairs
> > followed by a final request/accept.
> >
> >
> > What exactly is your problem?
> >
>   
Lack of knowledge  :)  If that challenges are necessary than i got no
problem at this point. Thanks for the info!

>> >>
>> >> I have set up a testing scenario with the local test user bob. If local
>> >> authentication works properly i want to proxy all requests without EAP
>> >> to another freeradius server. I will have questions to that later  :) 
>> >>
>> >> radtest from localhost an remotehost succeeded.
>>     
> >
> > Sorry - radtest does not do EAP. radtest is not a valid test.
>   
I know, i just followed the FAQ for using the mailinglist on
freeradius.org. Just to verify that the very basics are working.

> >
>   
>> >> I dont get a clue if the Problem is Windows, Certificates, Network oder
>> >> simply misconfigured freeradius.
>>     
> >
> > You haven't told us what the problem is. WPA-Enterprise is working for
> > you - the radius server is sending an access-accept. What problem are
> > you experiencing?
>   
As you told me above, i know -now- there is no Problem with that.  :) 

> >
>   
>> >>
>> >> certificates:
>> >> - i build the certs with and without that windows extension OID in
>> >> server.cnf with make from ../raddb/certs
>>     
> >
> > Why? You MUST include the OID.
>   
I was not sure about if its recommend for Windows 7 too cause everywhere
its mentioned with XP SP2+ only and not for later Windows in general.

> >
>   
>> >> - 2048 bit
>> >>
>> >> Windows 7:
>> >> - installed ca.der as root cert in win7 and configured it for the
>> >> desired WiFi network
>> >> - for my eyes no difference in debug logs if validate server cert or
>> >> not.
>>     
> >
> > "Validate server cert" is done on the client. You won't see any
> > difference on the server.
> >
>   
>> >> - unchecked using windows user or domain for auth
>> >> - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap -
>> >> tls right?
>>     
> >
> > PEAP uses TLS. PEAP needs certs too.
> >
>   
>> >>
>> >> WAP:
>> >> - WPA2 Enterprise with AES no accept packet possible until now
>>     
> >
> > As above - that's not normal.
> >
> > The debug you sent contains no reject. Please send a debug for this case.
>   
I will generate a separate log for the WPA2 scenario soon.

> >
>   
>> >> - WPA Enterprise with AES results in that 9-times Challenges until
>> >> accept
>>     
> >
> > As above - this is normal
> >
> > Access-Accept means everything is working.
>   
You made my day!

> >
> > If you are still having problems after the Access-Accept, you need to
> > describe what those problems are.
>   