Logins against AD failing in *most* cases. Can see why, but don't*understand* why.

[Meyers, Dan]

> > Secondly, my colleague's machine actually responds to the
> > Access-Challenge sent at the end of the packet where the ntlm_auth
is
> > done, whereas my machine does not. This is the crucial point I
think.
> > Without this final response the Access-Accept is never sent back. My
> > colleague is using Windows XP with the Intel Pro/Set Wireless
drivers
> > and supplicant. If he changes to using the XP inbuilt supplicant,
> > everything stops working. I am on Windows 7 using the inbuilt
> > supplicant. As best we can tell, this is the problematic difference.
> The
> > Intel supplicant is presumably getting and responding to the
> > Access-Challenge where the windows inbuilt supplicant is not, but I
> > don't know why or what could be causing it. My machine also doesn't
> > respond to the Access-Challenge under Ubuntu 9.10, using the Gnome
> > inbuilt supplicant.
> 
> This is most likely a CA cert problem. The comments in the default
> "eap.conf" give a very specific warning about this (access-challenge
> which is never replied to) and explain the issue.

This being the case, why does my machine successfully respond to all the
other Access-Challenges before the MSCHAPv2 password is dealt with? The
trace I gave was for an Access-Challenge id 107. Ids 100 (my initial
request) to 106 (the other parts of the EAP setup) all finish with an
Access-Challenge with an EAP-Message being sent to my client, and all of
those Challenges are successfully responded to. It was also my (possibly
erroneous) understanding that FreeRADIUS would never get to the point of
being able to get the MSCHAPv2 password from the client if the CA cert
was incorrect, as it would never complete the setup of the EAP session
inside which the MSCHAPv2 data is contained.

Additionally I am using exactly the same certificates, file ownership
and permissions and eap.conf settings that worked fine before the AD
upgrade, and the certificates are not used in talking to the domain to
auth credentials so I can't think that the issue lies there.

I am perfectly willing to accept that you may be right and this may be
my issue, I just don't understand how it has suddenly become a problem.

Dan