PEAP or TTLS and Microsoft Vista.

Lech Karol Pawłaszek ike at szluug.org
Tue Jul 22 23:22:23 CEST 2008


Hello.

I need your help. For the last few days I try to authenticate and
authorize Microsoft Vista operating system against FreeRADIUS and 3com
switch (as NAS) for wired authentication with no luck.

I'm using FreeRADIUS 2.0.5 from sources built on Debian Etch GNU/Linux
and certs made by bootstrap command (so those certs should have a bit of
magic from xpextensions afaik). I try to make little steps and change as
less as possible - to be honest I've only added user to the users file
and client definition to the clients.conf file.

I've tested my configuration with eapol_test command (as suggested at
this site[1]) and it works fine. I've tested it against MacOsX 10.4 and
MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2
and it works fine. It doesn't work with Windows Vista and Windows XP
SP3. Please help!

What I have spotted is that the server sends "Access Challenge" and then
on OSX dialog pops up where I can accept server's certificate and on
Windows it's over. So I think it's the issue mentioned on this site[2]
however i DO have Validate Server Certificate un-checked.

One more thing. If I won't use Windows' PEAP authorization and install
securew2 and use securew2's auth - I am able to connect. Work for a
minute or so and then NAS reports lost carrier and the connection is lost.

I've written about this issue about a year ago however this was put
on-hold. You might want to look at logfiles from that tests.

[1] - http://deployingradius.com/scripts/eapol_test/
[2] - http://deployingradius.com/documents/configuration/eap-problems.html
[3] -
http://lists.freeradius.org/pipermail/freeradius-users/2007-July/msg00096.html

Any hints and tips much appreciated. I'm attaching two logfiles. The
first one - freeradius.log - is the one where I'm trying to authenticate
using system-wide PEAP. The second one, namely freeradius-securew2.log,
is the one where switch receives Access-Accept and a few moments later
switch sends back information that the carrier is lost.

I've compressed both logfiles. I hope it's ok here. If it's not - please 
let me know.

Thanks in advance.

-- 
Lech Karol Pawłaszek <ike>
"You will never see me fall from grace." [KoRn]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius.log.gz
Type: application/x-gzip
Size: 4269 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080722/7f02b483/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-securew2.log.gz
Type: application/x-gzip
Size: 12111 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080722/7f02b483/attachment-0001.bin>


More information about the Freeradius-Users mailing list