PEAP or TTLS and Microsoft Vista.

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu Jul 24 15:58:57 CEST 2008


SecureW2 (List) wrote:
> As I thought, I have being having trouble on the wired side when a MPPE key
> is being sent by the server. 
>
> It looks like this "confuses" the Vista client as when you are using wired
> you usually don't need the MPPE key.
>
> Try disabling the MPPE key configuration in the Freeradius config so it is
> not sent, I don't know how to do this though... ;)
>
>   
No. Vista works fine with (PEAP/TTLS) & MSCHAPv2 + MPPE keys with 802.1x 
on wired interfaces. The  ~1000  or so Vista users on the 802.1x 
authenticated portion of our wired network would agree (most using Vista 
native supplicant). I've not seen any issues with XP SP3 either, on 
wired or wireless.

This is using FR 2.04 (Alan decided to 'fix' the proxying behaviour for 
2.05 and i've not had a chance to 'adjust' our configuration files yet).

Were using certificates signed by 'Thawte Premium Server CA', and 
performing, CA and certificate CN validation... all just works.... with 
the exception of the odd vista box that *refuses* to do user 
authentication and tries to perform machine authentication , ugh. For 
those we use SecureW2, which also generally works fine with a *near* 
default configuration.

BTW from those traces your NAS looks broken if it's sending EAP Ident 
requests after authentication has succeeded.

Arran
> Tom
>
>   
>> -----Oorspronkelijk bericht-----
>> Van: freeradius-users-bounces+list=securew2.com at lists.freeradius.org
>> [mailto:freeradius-users-bounces+list=securew2.com at lists.freeradius.org]
>> Namens Lech Karol Pawlaszek
>> Verzonden: donderdag 24 juli 2008 13:23
>> Aan: FreeRadius users mailing list
>> Onderwerp: Re: PEAP or TTLS and Microsoft Vista.
>>
>> SecureW2 (List) wrote:
>>     
>>> http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx
>>>       
>> Nice article. However I don't understand a few things. What's "pdb
>> <pdbpath>"? I'm not good at Windows.
>>
>>     
>>> To enable logging do the following:
>>>
>>> - Netsh wlan set tra yes
>>> - netsh ras set tr * en
>>> - Reproduce your problem
>>> - netsh ras set tr * dis
>>> - Netsh wlan set tra no
>>>       
>> Well. I have problems with _wired_ connection so I've used "netsh lan"
>> instead "netsh wlan". I hope it's the right thing.
>>
>>     
>>> If you go to the %windir%\tracing\wireless\ directory you will a load of
>>> .etl files in different directories.
>>>       
>> :-) yea. Which one is... hm... important? onex or eaphost?
>>
>>     
>>> Use the tracerpt *.* command to change the .etl to readable .txt files.
>>>       
>> I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I
>> should search for. Any hints?
>>
>>     
>>> PS. I don't like plugging like this but we are almost finished with the
>>> latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP-
>>>       
>> GTC
>>     
>>> and has been tested quite extensively with Vista SP0/SP1.
>>>       
>> Awesome. I hope it'll work with my Vista's...
>>
>> Kind regards,
>>
>> --
>> Lech Karol Pawłaszek <ike>
>> "You will never see me fall from grace" [KoRn]
>>     
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services), 
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900




More information about the Freeradius-Users mailing list