Hello Alan, The "Radiator" people are talking about problems with SSL empty fragments handing in Windows Vista ... I've tried to compile FreeRADIUS with SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same, clients can't connect! in: http://www.open.com.au/radiator/history.html
# Enabled SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS in PEAP TLS, to work around a problem with Vista Beta 2 clients, where the extra empty fragment (sent as a security measure by OpenSSL) confuses the Vista PEAP supplicant. See http://www.openssl.org/~bodo/tls-cbc.txt for reasons behind the empty fragments. Reported by David Spindler.
Best Regards! Wednesday, October 4, 2006, 4:14:25 PM, you wrote:
"King, Michael" <MKing@bridgew.edu> wrote:
So we've been using FreeRADIUS talking to ActiveDirectory to authenticate our WinXP clients (Over 2000) for over a year now. Along comes Vista. Of COURSE it doesn't work. Microsoft changed something, and it broke a working config. Arrg.
You'll have to re-build & re-install the EAP module (you don't need to touch the rest of the server). It won't help, but it will print out a little more information. We'll probably have to do a few cycles before it's tracked down, though.
My (amatuer) analyis, (Aka my gut) is that Vista is Doing something in TLS, not PEAP. (I don't see my mschap module fire).
The TLS tunnel is set up, BUT vista is doing something slightly different that confuses FreeRADIUS, so FreeRADIUS doesn't continue the EAP conversation.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best regards, =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Pedro Ribeiro IPLNet - Rede de dados e comunicações Instituto Politécnico de Lisboa (IPL) Mail: mailto:pribeiro@net.ipl.pt VoIP: sip:pribeiro@net.ipl.pt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-