PEAP-MSCHAP failure. Please help

Alan DeKok aland at deployingradius.com
Wed Oct 18 18:48:42 CEST 2006


"Jack Daniels" <da_very_newbie at hotmail.com> wrote:
> Is there a way to dump more information about what is going on in the TLS 
> conversation in freeradius?

  No.  What more information do you think you would need?

> Why even if EAP doesn't fail it can't reach the mschap part?

  Because the Windows client stops talking to the server.

> Should I consider this part
> (other): SSL negotiation finished successfully
> rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
> SSL Connection Established
> as a failure or a success?

  I could swear that message has the word "successfully" in it.  That
looks a whole lot like "success" to me.

> In the client computer, if  I uncheck the "Validate server certificate" 
> option everything runs smoothly.

  Then the problem is that you didn't create the certificates with the
magic OID's.  See http://wiki.freeradius.org/WPA_HOWTO and
http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html

  If you didn't use the "xpextensions" file, Windows won't like the
certs.

> I'm using FreeRadius v 1.1.3. Certificates when created were verified with 
> openssl verify and everything was ok.

  They're certs, but they're not certs Windows likes.

  I think for the next rev of the server, we'll take a look at putting
huge screaming messages in the logs if the certs don't have the OID's.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list