Windows Vista doing PEAP

Pedro Ribeiro pribeiro-bulk at net.ipl.pt
Tue Nov 28 17:40:40 CET 2006 

Hello Alan,

The "Radiator" people are talking about problems with SSL empty
fragments handing in Windows Vista ...
I've tried to compile FreeRADIUS with
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same,
clients can't connect!

in: http://www.open.com.au/radiator/history.html
> # Enabled SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS in PEAP TLS, to work
> around a problem with Vista Beta 2 clients, where the extra empty
> fragment (sent as a security measure by OpenSSL) confuses the Vista
> PEAP supplicant. See http://www.openssl.org/~bodo/tls-cbc.txt for
> reasons behind the empty fragments. Reported by David Spindler.

Best Regards!

Wednesday, October 4, 2006, 4:14:25 PM, you wrote:

> "King, Michael" <MKing at bridgew.edu> wrote:
>> So we've been using FreeRADIUS talking to ActiveDirectory to
>> authenticate our WinXP clients (Over 2000) for over a year now.
>> Along comes Vista.  Of COURSE it doesn't work.  Microsoft changed
>> something, and it broke a working config.  Arrg.

>   Try: http://www.striker.ottawa.on.ca/~aland/vista.patch

>   You'll have to re-build & re-install the EAP module (you don't need
> to touch the rest of the server).  It won't help, but it will print
> out a little more information.  We'll probably have to do a few cycles
> before it's tracked down, though.

>> My (amatuer) analyis,  (Aka my gut) is that Vista is Doing something in
>> TLS, not PEAP.  (I don't see my mschap module fire).

>   The TLS tunnel is set up, BUT vista is doing something slightly
> different that confuses FreeRADIUS, so FreeRADIUS doesn't continue the
> EAP conversation.

>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Best regards,

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Pedro Ribeiro
IPLNet - Rede de dados e comunicações
Instituto Politécnico de Lisboa (IPL)
Mail: mailto:pribeiro at net.ipl.pt
VoIP: sip:pribeiro at net.ipl.pt
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the Freeradius-Users mailing list