WPA Peap problems with Vista (yet again)

Michael Torrie torriem at gmail.com
Fri Apr 4 16:50:53 CEST 2008


I've read through the list archives about people's problems with Vista
and FreeRadius, including the recent messages on this list in January,
and a couple of exchanges back in 2006 and 2007.  I am running
FreeRadius 1.1.7 on a RHEL 4 box, compiled from Fedora 8's FreeRadius
SRPM.  According to the changelog, the patch/hack to get around Vista's
broken SSL fragment handling has been in FreeRadius since 1.1.4, so
we're good there.  I also read the big warning in the eap.conf file and
have ensured that my certificate indeed does have the proper OID that
Microsoft requires.  The setup (1.1.5 before, and 1.1.7 now) has been
working fine for XP SP2 for years.

Yet I still have the problem where after the Access-Challenge is sent,
the Vista clients just silently drop things and the connection fails.
This is the behavior that I know I would get if I don't have the
required OID in the certificate.   Yet it is there!  I ran 'openssl x509
-in /path/to/cert.crt -noout -text' and it shows the extended usage as
I'd expect.  For some reason openssl calls it TLS Web Server
Authentication.  Thinking that it was still wrong, I did as was
suggested on the list in January, and downloaded FreeRadius 2.0.3 and
created a self-signed cert with those tools.  It looks the exact same,
so I know the OID is right.

Any ideas?  Debug output is:
Sending Access-Challenge of id 90 to 192.168.4.10 port 21702
        EAP-Message = 0x010800061900
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xdf09144102cbf146277d93e7d554a782
Finished request 1939
Going to the next request

Any ideas on how to better debug and fix this major problem for me?

thanks,

Michael



More information about the Freeradius-Users mailing list