Windows Vista doing PEAP

Pedro Ribeiro pribeiro-bulk at
Tue Nov 28 17:40:40 CET 2006

Hello Alan,

The "Radiator" people are talking about problems with SSL empty
fragments handing in Windows Vista ...
I've tried to compile FreeRADIUS with
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same,
clients can't connect!

> around a problem with Vista Beta 2 clients, where the extra empty
> fragment (sent as a security measure by OpenSSL) confuses the Vista
> PEAP supplicant. See for
> reasons behind the empty fragments. Reported by David Spindler.

Best Regards!

Wednesday, October 4, 2006, 4:14:25 PM, you wrote:

> "King, Michael" <MKing at> wrote:
>> So we've been using FreeRADIUS talking to ActiveDirectory to
>> authenticate our WinXP clients (Over 2000) for over a year now.
>> Along comes Vista.  Of COURSE it doesn't work.  Microsoft changed
>> something, and it broke a working config.  Arrg.

>   Try:

>   You'll have to re-build & re-install the EAP module (you don't need
> to touch the rest of the server).  It won't help, but it will print
> out a little more information.  We'll probably have to do a few cycles
> before it's tracked down, though.

>> My (amatuer) analyis,  (Aka my gut) is that Vista is Doing something in
>> TLS, not PEAP.  (I don't see my mschap module fire).

>   The TLS tunnel is set up, BUT vista is doing something slightly
> different that confuses FreeRADIUS, so FreeRADIUS doesn't continue the
> EAP conversation.

>   Alan DeKok.
> --
>       - The web site of the book
> - The blog
> - 
> List info/subscribe/unsubscribe? See

Best regards,

Pedro Ribeiro
IPLNet - Rede de dados e comunicações
Instituto Politécnico de Lisboa (IPL)
Mail: mailto:pribeiro at
VoIP: sip:pribeiro at

More information about the Freeradius-Users mailing list