Windows Vista doing PEAP

Alan DeKok aland at deployingradius.com
Tue Nov 28 23:06:11 CET 2006


Pedro Ribeiro <pribeiro-bulk at net.ipl.pt> wrote:
> The "Radiator" people are talking about problems with SSL empty
> fragments handing in Windows Vista ...
> I've tried to compile FreeRADIUS with
> SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same,
> clients can't connect!

  i.e. the patch below MAY help.  There is still an issue in the
FreeRADIUS state machine where it MAY send an empty ACK once the SSL
tunnel is set up.  Most clients seem to be OK with this, but maybe
Vista isn't.

  A solution, I *think* would be to have FreeRADIUS send an EAP
Identity request inside of the tunneled session for PEAP, as soon as
the session is established.  This should work with third-party
supplicants, and may allow Vista to work, too.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



Index: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
===================================================================
RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c,v
retrieving revision 1.21.4.11
diff -u -r1.21.4.11 rlm_eap_tls.c
--- src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	26 Oct 2006 17:13:04 -0000	1.21.4.11
+++ src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	28 Nov 2006 22:04:44 -0000
@@ -368,7 +368,7 @@
 	 *	time needed during negotiation, but it is not very
 	 *	large.
 	 */
-   	ctx_options |= SSL_OP_SINGLE_DH_USE;
+   	ctx_options |= SSL_OP_SINGLE_DH_USE | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 	SSL_CTX_set_options(ctx, ctx_options);
 
 	/*



More information about the Freeradius-Users mailing list