Need help setting up PEAP authentication

Stefan Winter stefan.winter at restena.lu
Fri Jul 21 07:48:32 CEST 2006 

Hello,

> Sorry to be so newbee, I cannot remember why I decided not to send the full
> debugging log. Anyway, it is available online at
> http://www.borer.name/files/radius/radius.log

Much better :-)

Indeed, the authentication completes successfully. You are using PEAP with 
client certificates, that's why there are so many packets going back and 
forth (2 certificates + MS-CHAPv2 credentials need to be exchanged, too much 
data for a single packet).

> I used wpa_supplicant to try to connect, and as explained in my first email
> the client says that authentication went ok, then 30 seconds later it
> displays an authentication timeout message and tries to reconnect. The 30
> seconds gap can be seen in the log when it displays "Nothing to do. 
> Sleeping until we see a request.".

Since this is no FreeRADIUS problem (authentication worked well), just a wild 
shot: is this a recent Centrino chipset and your client is using Linux? I 
experienced problems as well until I loaded the ipw2200 module with the 
option "hwcrypto=0" (or was it hw_crypto=0 ?), because otherwise the ipw2200 
f*cks up the exchanged encryption key after a short while, the Access Point 
detects this and disconnects the client, which then tries to authenticate 
again...

> Anyway, as asked I also tried to disable certificate validation on Windows
> XP and it is still not working.

Since you didn't also include the debug log of the failed attempt, this is 
just another wild guess: since you are using client certificates, your 
certificate needs to have another OID present: Microsoft Web Client 
Authentication. So even if you don't validate the server credentials, you'll 
have to have an MS-friendly certificate on the client side.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060721/e76f00d2/attachment.pgp>

More information about the Freeradius-Users mailing list