i want to implement peap for my wifi connection. I have set up the access point(D-Link DWL 2100 AP) for using FreeRADIUS 2.1 For authentication.Whenever i send a request from the client to the server,the server fails to authenticate the client. What happens can be seen in the debug code attached below.The problem may be due to the fact that the server certificate used requires to be signed by special XP extensions but i am not sure about it.I am currently using the default certificates created when FreeRADIUS 2.1 is first installed.Can anyone please tell me why the error is occuring and what the remedy for this is?? I am using Fedora 8 as server. Debug output for FreeRADIUS is as follows: [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.1.250 port 1034 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9927156798250cebdde85f1a77c9228b Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=2, length=290 Message-Authenticator = 0xf65b54a824859ff5858d51b34bb2ea0a Service-Type = Framed-User User-Name = "ITDEPT.COM\\scoe\000" Framed-MTU = 1488 State = 0x9927156798250cebdde85f1a77c9228b Called-Station-Id = "00-17-9A-09-C4-DD:scoeit" Calling-Station-Id = "00-13-02-12-16-6E" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0202005019800000004616030100410100003d030149b8c76c86fa22fb3b65c1a3da9d93f69b65a4f9489aaffaa42657f64516c2f600001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 192.168.1.250 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 03b0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.1.250 port 1034 EAP-Message = 0x010303f31900160301002a02000026030149b8c79ad72fa31c2fc8459b30bd15126d3e5d6c74b1cb5228c06435c81fa6440000040016030103b00b0003ac0003a90003a6308203a23082028aa003020102020102300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d EAP-Message = 0x3039303232373139323130325a170d3130303232373139323130325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac916a34fdc11effd3bf47f5e73c79237047fe7f11563c666003ddfc4d734778cf075ee5998c76f03bf71fa77f53e08588af1dcb33f926a1404901e5d8008e613952 EAP-Message = 0x979ae3c175d60f86c9c0ae82c554378f11f0cf9302931b3888dc716df066a15c655817bd3cc6617cb6feb8e2f41ad9531b68cddece4f8ebe50581111d673463cd9a00198eb4d43adefaa1322618e20d7fe3c5408d3a2329be135a664bf99f281b2b8c1810be4fb1b0cee61b7f943e9eac630a69865faeba4a4206f4bb89c8b27ecbd8e9545615a030151559b539a8c533f5b9779d1c4eb22279c0b5409eb2e242878bff8ac400c10f0fd81e15e246f85d940182be0a60a4a4399cc0bd0a70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101001b2311c96ac3ee97d6ecfd99e8 EAP-Message = 0x0adfa8b3b89b7481c139127c0a69572763e40b467f29150c33c33ac9a582fe1c591bd4150d769c0e35195182835bc301441bbb8235a3cdcabf877b8652ce74782d0045114312dd6c214e67adc2ebc59b7330e5fdba13a5e28be5cfdaa4d2e5eaa84e5c500df001989d673ec3ee37cd4b2404722233d2f5ab442e691ff244653402d1b22260370262bee269a518e02bb0b47452aeb51465d047fc83f9075914ba86efbc202b60d5e9ce652ce28561edb25ec4e49cae1a3762672a85ad2bc11efc117481b7de96613d83438a712c589b5f6aef84c695f516c87a6b1f17bfe69446e4e9e7b03fe9f5553486e8dd1aa28d6b36a47216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x992715679b240cebdde85f1a77c9228b Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=3, length=532 Message-Authenticator = 0xc54164092ed8dc2f09a7418d5560f076 Service-Type = Framed-User User-Name = "ITDEPT.COM\\scoe\000" Framed-MTU = 1488 State = 0x992715679b240cebdde85f1a77c9228b Called-Station-Id = "00-17-9A-09-C4-DD:scoeit" Calling-Station-Id = "00-13-02-12-16-6E" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0203014019800000013616030101061000010201000c969749c74343d53a00c5cd79f5301ddf1fdc7283cd04a8f1083c17e1944c5c7cbed10b12ee27e4b5d4eb1430e87e9f739302bc725d88acd7f03e5db8b5cd7d9d89cd283ade84801b26aa4e337d4b31589f1bf73c906348443555a170e26ba0ec25df48d057c543282027d39982bfd922e3efc5fea974147b2a1439ef3be601084102ab0c4974ef2dde486b00c9b5110a812bf2a4913ed711ae9b749c45779344535984212c852b5bc1056d1389d51ae647fe6341fcc24109f379da2762aa8def42675dc0472220927b6b0b3f93082ab8ab06df5dfb76e4645dda6ddd2c588229ad183ca921501b EAP-Message = 0xa3bbac963e046ef6c7c96392af28b267d494957e189efda814030100010116030100201f15bf9882f5f81840a2f0b88eacf2b32487bec7a66273e6bae9f5899090f568 NAS-IP-Address = 192.168.1.250 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.1.250 port 1034 EAP-Message = 0x01040031190014030100010116030100204c2d5ce111b4cf1d8484d0a7b0bc663743b67f0dfcf3bc69dfa62631fd9d3e30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x992715679a230cebdde85f1a77c9228b Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=4, length=216 Message-Authenticator = 0xfb5cafdd0840b6ccedd584509afb6159 Service-Type = Framed-User User-Name = "ITDEPT.COM\\scoe\000" Framed-MTU = 1488 State = 0x992715679a230cebdde85f1a77c9228b Called-Station-Id = "00-17-9A-09-C4-DD:scoeit" Calling-Station-Id = "00-13-02-12-16-6E" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 192.168.1.250 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.1.250 port 1034 EAP-Message = 0x0105002019001703010015b1bb8da1accb8c051e43c474f0b25b6888371dafd2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x992715679d220cebdde85f1a77c9228b Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=5, length=253 Message-Authenticator = 0x559b57aca5bffa7b01a186f5ae288fc8 Service-Type = Framed-User User-Name = "ITDEPT.COM\\scoe\000" Framed-MTU = 1488 State = 0x992715679d220cebdde85f1a77c9228b Called-Station-Id = "00-17-9A-09-C4-DD:scoeit" Calling-Station-Id = "00-13-02-12-16-6E" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0205002b19001703010020a690881c896db8f3366ba3ee32944a59d4b9fea829756099f89ed10931342409 NAS-IP-Address = 192.168.1.250 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - ITDEPT.COM\scoe [peap] Got tunnled request EAP-Message = 0x02050014014954444550542e434f4d5c73636f65 server (null) { PEAP: Got tunneled identity of ITDEPT.COM\scoe PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to ITDEPT.COM\scoe Sending tunneled request EAP-Message = 0x02050014014954444550542e434f4d5c73636f65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ITDEPT.COM\\scoe" Service-Type = Framed-User Framed-MTU = 1488 Called-Station-Id = "00-17-9A-09-C4-DD:scoeit" Calling-Station-Id = "00-13-02-12-16-6E" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" NAS-IP-Address = 192.168.1.250 NAS-Port = 1 NAS-Port-Id = "STA port # 1" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 5 length 20 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010600291a01060024100063da3b7cc3f43eabec58facf4e1a544954444550542e434f4d5c73636f65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5dac34625daa2ecf48629eb40108d58e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010600291a01060024100063da3b7cc3f43eabec58facf4e1a544954444550542e434f4d5c73636f65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5dac34625daa2ecf48629eb40108d58e [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.1.250 port 1034 EAP-Message = 0x01060040190017030100352c6462427fabed095dd20eb0a27126d825f307f85f0ecd4fd26ae52617d9731aa14fcadeb19fac8fc0d0137ed2f8014bf4ef79384e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x992715679c210cebdde85f1a77c9228b Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=6, length=307 Message-Authenticator = 0xa39a6fe70736fcc5f6106730554498e1 Service-Type = Framed-User User-Name = "ITDEPT.COM\\scoe\000" Framed-MTU = 1488 State = 0x992715679c210cebdde85f1a77c9228b Called-Station-Id = "00-17-9A-09-C4-DD:scoeit" Calling-Station-Id = "00-13-02-12-16-6E" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206006119001703010056ef7f7df93da28d67e1bb560078a1f55a38558fc7fe965a4d12729fedfd5978ea7678f294285464c7a58049a65ac6bfed51f72f89937a6275d512063adefe77cd4a4866c11af7b1d49e60f77003a2581559e005a77732 NAS-IP-Address = 192.168.1.250 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 97 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x0206004a1a02060045315c0291fe1459500e2ea66e03781a141b0000000000000000a1f11ae4843edcb38707bda4af4252c47ea544de54571725004954444550542e434f4d5c73636f65 server (null) { PEAP: Setting User-Name to ITDEPT.COM\scoe Sending tunneled request EAP-Message = 0x0206004a1a02060045315c0291fe1459500e2ea66e03781a141b0000000000000000a1f11ae4843edcb38707bda4af4252c47ea544de54571725004954444550542e434f4d5c73636f65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ITDEPT.COM\\scoe" State = 0x5dac34625daa2ecf48629eb40108d58e Service-Type = Framed-User Framed-MTU = 1488 Called-Station-Id = "00-17-9A-09-C4-DD:scoeit" Calling-Station-Id = "00-13-02-12-16-6E" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" NAS-IP-Address = 192.168.1.250 NAS-Port = 1 NAS-Port-Id = "STA port # 1" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 74 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for ITDEPT.COM\scoe with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.250 port 1034 EAP-Message = 0x010700261900170301001b0b161d0dbb31d7d3cd65286f7aa084ee8708935bed2bc963e60797 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x992715679f200cebdde85f1a77c9228b Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=7, length=248 Message-Authenticator = 0x5b1ec30419fb1addf07d5979c76176e0 Service-Type = Framed-User User-Name = "ITDEPT.COM\\scoe\000" Framed-MTU = 1488 State = 0x992715679f200cebdde85f1a77c9228b Called-Station-Id = "00-17-9A-09-C4-DD:scoeit" Calling-Station-Id = "00-13-02-12-16-6E" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020700261900170301001b01aef267bca260c0c202dbaad96a2914551d213d9a74266916a21a NAS-IP-Address = 192.168.1.250 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ITDEPT.COM\scoe attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 15 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 15 Sending Access-Reject of id 7 to 192.168.1.250 port 1034 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 8 ID 0 with timestamp +558 Cleaning up request 9 ID 1 with timestamp +558 Cleaning up request 10 ID 2 with timestamp +559 Cleaning up request 11 ID 3 with timestamp +559 Cleaning up request 12 ID 4 with timestamp +559 Cleaning up request 13 ID 5 with timestamp +559 Cleaning up request 14 ID 6 with timestamp +559 Waking up in 1.0 seconds. Cleaning up request 15 ID 7 with timestamp +559 Ready to process requests. -- View this message in context: http://www.nabble.com/eap-peap-%22challenge%22-error-for-windows-XP-clients-... Sent from the FreeRadius - User mailing list archive at Nabble.com.