PEAP or TTLS and Microsoft Vista.

SecureW2 (List) list at securew2.com
Thu Jul 24 16:07:48 CEST 2008


> -----Oorspronkelijk bericht-----
> Van: freeradius-users-bounces+list=securew2.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+list=securew2.com at lists.freeradius.org]
> Namens Arran Cudbard-Bell
> Verzonden: donderdag 24 juli 2008 15:59
> Aan: FreeRadius users mailing list
> Onderwerp: Re: PEAP or TTLS and Microsoft Vista.
> 
> SecureW2 (List) wrote:
> > As I thought, I have being having trouble on the wired side when a MPPE
> key
> > is being sent by the server.
> >
> > It looks like this "confuses" the Vista client as when you are using
> wired
> > you usually don't need the MPPE key.
> >
> > Try disabling the MPPE key configuration in the Freeradius config so it
> is
> > not sent, I don't know how to do this though... ;)
> >
> >
> No. Vista works fine with (PEAP/TTLS) & MSCHAPv2 + MPPE keys with 802.1x
> on wired interfaces. The  ~1000  or so Vista users on the 802.1x
> authenticated portion of our wired network would agree (most using Vista
> native supplicant). I've not seen any issues with XP SP3 either, on
> wired or wireless.
> 

Ah ok. As it turns out it is the NAS.

> This is using FR 2.04 (Alan decided to 'fix' the proxying behaviour for
> 2.05 and i've not had a chance to 'adjust' our configuration files yet).
> 
> Were using certificates signed by 'Thawte Premium Server CA', and
> performing, CA and certificate CN validation... all just works.... with
> the exception of the odd vista box that *refuses* to do user
> authentication and tries to perform machine authentication , ugh. For
> those we use SecureW2, which also generally works fine with a *near*
> default configuration.
> 

I have not tested SW2 on wired yet due to lack of hardware so it is good to
hear it works... :)

> BTW from those traces your NAS looks broken if it's sending EAP Ident
> requests after authentication has succeeded.
> 
> Arran
> > Tom
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: freeradius-users-bounces+list=securew2.com at lists.freeradius.org
> >> [mailto:freeradius-users-
> bounces+list=securew2.com at lists.freeradius.org]
> >> Namens Lech Karol Pawlaszek
> >> Verzonden: donderdag 24 juli 2008 13:23
> >> Aan: FreeRadius users mailing list
> >> Onderwerp: Re: PEAP or TTLS and Microsoft Vista.
> >>
> >> SecureW2 (List) wrote:
> >>
> >>> http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx
> >>>
> >> Nice article. However I don't understand a few things. What's "pdb
> >> <pdbpath>"? I'm not good at Windows.
> >>
> >>
> >>> To enable logging do the following:
> >>>
> >>> - Netsh wlan set tra yes
> >>> - netsh ras set tr * en
> >>> - Reproduce your problem
> >>> - netsh ras set tr * dis
> >>> - Netsh wlan set tra no
> >>>
> >> Well. I have problems with _wired_ connection so I've used "netsh lan"
> >> instead "netsh wlan". I hope it's the right thing.
> >>
> >>
> >>> If you go to the %windir%\tracing\wireless\ directory you will a load
> of
> >>> .etl files in different directories.
> >>>
> >> :-) yea. Which one is... hm... important? onex or eaphost?
> >>
> >>
> >>> Use the tracerpt *.* command to change the .etl to readable .txt
> files.
> >>>
> >> I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I
> >> should search for. Any hints?
> >>
> >>
> >>> PS. I don't like plugging like this but we are almost finished with
> the
> >>> latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and
> EAP-
> >>>
> >> GTC
> >>
> >>> and has been tested quite extensively with Vista SP0/SP1.
> >>>
> >> Awesome. I hope it'll work with my Vista's...
> >>
> >> Kind regards,
> >>
> >> --
> >> Lech Karol Pawłaszek <ike>
> >> "You will never see me fall from grace" [KoRn]
> >>
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> 
> 
> --
> Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
> Authentication, Authorisation and Accounting Officer,
> Infrastructure Services (IT Services),
> E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
> DDI+FAX: +44 1273 873900 | INT: 3900
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list