FreeRADIUS + MSCHAPv2 + Vista

Tim Gustafson tjg at
Fri Jan 23 00:18:03 CET 2009

Hi all!

I am running FreeRADIUS on FreeBSD 7.1 for my Cisco wireless APs to authenticate against.  The clients are using MSCHAPv2 and XP and Mac OSX (as well as several wireless devices like iPhones and so on) are able to authenticate against the WAPs just fine, but Vista is failing.  In my log I have:

Auth: Login OK: [test] (from client ucsc-60-40 port 0 via TLS tunnel)
Auth: Login incorrect: [test/<via Auth-Type = EAP>] (from client foo port 519 cli xxxx.xxxx.xxxx)

I Googled for Vista/FreeRADIUS/MSCHAPv2 and found some kerfuffle about there being problems with FreeRADIUS 1.1.3, but I'm running 2.0.5 so I'm assuming that my server is not affected by the 1.1.3 problem.  The kerfuffle seemed to be related to a TLS problem, and based on the log entries above, it seems to me that the TLS tunnel is working fine, but the encapsulated packet is not.

Incidentally, we also tried on a Windows 7 Beta machine, which experienced the exact same symptoms as the Vista machine.

Also, this set-up was working in December and then stopped working somewhere along the way.  I'm wondering if perhaps Microsoft release some sort of "fix" since then that actually broke something.

And, just to be complete about it, if we point the WAP to an Active Directory RADIUS server the set-up works as-is.

Any ideas what might be going on?

Tim Gustafson
BSOE Webmaster
UC Santa Cruz
tjg at

More information about the Freeradius-Users mailing list