I'm also suffering from this Vista "disease". But in my case I can authenticate users using PEAP, from XP SP2 and SP3 clients, even with "Validating Server Certificate" checked. The problem is only with Vista. I've all the windows updates available installed but I can't get it to work even with the "Validate Server Certificate" unchecked. The freeradius version that I'm using it's the 2.0.2, and I've tried both with the radius "test" certificates and other, and the behavior is exactly the same. The radius log always shows the following: "... rad_recv: Access-Request packet from host 192.168.100.199 port 1024, id=93, length=340 Framed-MTU = 1480 NAS-IP-Address = 192.168.100.199 NAS-Identifier = "HP ProCurve Switch 2626-PWR" User-Name = "teste" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet NAS-Port-Id = "2" Called-Station-Id = "00-11-85-ad-b7-c0" Calling-Station-Id = "00-1b-38-8f-40-aa" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x2a4cc8322ac0d1b35c7650bea0308dda EAP-Message = 0x028c007419800000006a16030100650100006103014886730236b0840bd6df9358c1446c3e62e956de01ad320ddc04441dcf82d462000018002f00350005000ac009c00ac013c0140032003800130004010000200000000a00080000057465737465000a00080006001700180019000b00020100 Message-Authenticator = 0xd46becf93b1bcccd0402d3496f7f5721 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "teste", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 140 length 116 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[mschap] returns noop users: Matched entry teste at line 1 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for teste WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=teste) expand: ou=People,dc=local,dc=loc -> ou=People,dc=local,dc=loc rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=local,dc=loc, with filter (uid=teste) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 106 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0065], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 03b0], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 93 to 192.168.100.199 port 1024 EAP-Message = 0x018d040019c00000040d160301004a020000460301488672c8ac900c3f88d166a948b5ea07d6e9474d14c3e025ee5b661a96ca4ae4200d2218c482a7afc626cfa166eeac452729093fe79aa43dded4adb3f63518159b002f0016030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303732323233313734365a170d3039303732323233313734365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebb9bc08eac90bd234ec1ddeed261d2ee0a98c1fe1f2c3ef1cc9fb665496 EAP-Message = 0x8c122c5da0678d64eaaf118463b82422c7d7ad07cd049e0a94994b4ffc9c95a6ac5ce278d16d8e9fdeac51a4cca0c8cd78b71e1b282b188798209515da8d688cea3aaef56731d96975f8f99cbdd13d71ff792aa8b44040c4fe1b90aad77057a6b8cc2c238a1319abfe9f0df37f538ef2119ac041e73b00343b1953db2193522a2dab185993a2b7f756e920a89d01f17ce7df5c482064505a102a25ff9421b8aed065f1ca0c2c38a62a616407fb06dd051dfcf00243b83074e724666a332c5baec351eb0df5c8fea22cb8db7892d59f85e0a6070a9461b23f0d568c170dc89f60a3ef0203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d0101040500038201010036adc59ded5d25b5d99cf4d52fab993bab169cf0175b6503aadef2581b50f788abe5e158bed1b1d2eb3295e4aa0e39027f2903047db540be42b71d9ce76d9453fe295252c6a12f3a3d92271111686ebb308682302298c0d6f90f1f1bd3715dea86fa5a8c38a019e438a296dbc226d64e453279b0b21d8d3c46010b829e0075f7c9d267b5938c512113ff718bd462958384b1944bb2e6a17f80ed659c9065eeb40e38da88f071ab970349bf1d7c8cb259d27e7dd2782e82059d8525b01f6d577ba365679b5d107eab1cfcbaaf21c58ef73a85d7b7da9627a6d80fad0580299fca91f51acc8994 EAP-Message = 0x8e17896898d68a07d3dbf173 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2a4cc8322bc1d1b35c7650bea0308dda Finished request 11. Going to the next request Waking up in 0.9 seconds. Waking up in 3.9 seconds. Cleaning up request 10 ID 92 with timestamp +1627 Cleaning up request 11 ID 93 with timestamp +1627 Ready to process requests. " Is there anything that I'm missing? Nelson Vale Ter, 2008-07-22 às 23:22 +0200, Lech Karol Pawłaszek escreveu:
Hello.
I need your help. For the last few days I try to authenticate and authorize Microsoft Vista operating system against FreeRADIUS and 3com switch (as NAS) for wired authentication with no luck.
I'm using FreeRADIUS 2.0.5 from sources built on Debian Etch GNU/Linux and certs made by bootstrap command (so those certs should have a bit of magic from xpextensions afaik). I try to make little steps and change as less as possible - to be honest I've only added user to the users file and client definition to the clients.conf file.
I've tested my configuration with eapol_test command (as suggested at this site[1]) and it works fine. I've tested it against MacOsX 10.4 and MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 and it works fine. It doesn't work with Windows Vista and Windows XP SP3. Please help!
What I have spotted is that the server sends "Access Challenge" and then on OSX dialog pops up where I can accept server's certificate and on Windows it's over. So I think it's the issue mentioned on this site[2] however i DO have Validate Server Certificate un-checked.
One more thing. If I won't use Windows' PEAP authorization and install securew2 and use securew2's auth - I am able to connect. Work for a minute or so and then NAS reports lost carrier and the connection is lost.
I've written about this issue about a year ago however this was put on-hold. You might want to look at logfiles from that tests.
[1] - http://deployingradius.com/scripts/eapol_test/ [2] - http://deployingradius.com/documents/configuration/eap-problems.html [3] - http://lists.freeradius.org/pipermail/freeradius-users/2007-July/msg00096.ht...
Any hints and tips much appreciated. I'm attaching two logfiles. The first one - freeradius.log - is the one where I'm trying to authenticate using system-wide PEAP. The second one, namely freeradius-securew2.log, is the one where switch receives Access-Accept and a few moments later switch sends back information that the carrier is lost.
I've compressed both logfiles. I hope it's ok here. If it's not - please let me know.
Thanks in advance.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html