Krzysztof Srokowski wrote:
I`m sorry, I`m using pfSense release 1.2.3, with freeradius package 1.1.2_1 (latest)
Uh... upgrade. 1.1.2 is *very* old. It's very likely that it won't work with recent versions of Windows. Fixes to work around Windows "issues" went into later versions of the server, and aren't in 1.1.2.
Below I describe my configuration;
1. pfSense with freeradius 1.1.2_1 2. Access Point Linksys WRT54G 3. Clients Windows XP SP3 and Windows 7
My goal was to create WiFi access with WPA2 (AES) + EAP-PEAP(MSCHAPv2). For tests I generated server certificate from my own CA. Both certificates CA certificate, and server certificate was transferred to freeradius server and configured in eap.conf file in tls section. I made also other configurations to use peap protocol and mschapv2.
The second step was the clients. My root CA certificate was installed to certificate repo in system. I checked all required options in connection properities like (use WPA2 with AES, PEAP, verify server certificate also with root CA certificate which was imported before). When I tried to connect from XP client everything is fine, client is authorized and connection works without problem. But from Windows 7 client its not. Same configuration, same settings, and I get error in radius.log:
---- " Tue Oct 19 13:01:06 2010 : Error: TLS Alert read:fatal:unknown CA Tue Oct 19 13:01:06 2010 : Error: TLS_accept:failed in SSLv3 read client certificate A Tue Oct 19 13:01:06 2010 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Oct 19 13:01:06 2010 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. Tue Oct 19 13:01:06 2010 : Auth: Login incorrect: [host/um4910142413/<no User-Password attribute>] (from client WRT54G port 35 cli 000e2e950bbd) "
<shrug> Those error messages are pretty definitive. In any case, I wouldn't bother trying to track down the problem. Install 2.1.10, and then follow the EAP / Windows instructions on my web site: http://deployingradius.com Alan DeKok.