FreeRADIUS + MSCHAPv2 + Vista

Alan DeKok aland at
Fri Jan 23 08:55:32 CET 2009

Tim Gustafson wrote:
> I am running FreeRADIUS on FreeBSD 7.1 for my Cisco wireless APs to authenticate against.  The clients are using MSCHAPv2 and XP and Mac OSX (as well as several wireless devices like iPhones and so on) are able to authenticate against the WAPs just fine, but Vista is failing.  In my log I have:
> Auth: Login OK: [test] (from client ucsc-60-40 port 0 via TLS tunnel)
> Auth: Login incorrect: [test/<via Auth-Type = EAP>] (from client foo port 519 cli xxxx.xxxx.xxxx)

  Don't look at radius.log to debug problems.  Run in debugging mode.

> I Googled for Vista/FreeRADIUS/MSCHAPv2 and found some kerfuffle about there being problems with FreeRADIUS 1.1.3, but I'm running 2.0.5 so I'm assuming that my server is not affected by the 1.1.3 problem.  The kerfuffle seemed to be related to a TLS problem, and based on the log entries above, it seems to me that the TLS tunnel is working fine, but the encapsulated packet is not.

  Don't guess.  Run in debugging mode and be sure.

> Incidentally, we also tried on a Windows 7 Beta machine, which experienced the exact same symptoms as the Vista machine.
> Also, this set-up was working in December and then stopped working somewhere along the way.  I'm wondering if perhaps Microsoft release some sort of "fix" since then that actually broke something.

  They have been known to do that.  They make gratuitous changes to the
clients to ensure that they break compatibility with *all* non-MS RADIUS
servers.  They've done this multiple times.

> And, just to be complete about it, if we point the WAP to an Active Directory RADIUS server the set-up works as-is.

  Of course!  Microsoft is compatible with themselves.

> Any ideas what might be going on?

  Post the full debugging output.

  Alan DeKok.

More information about the Freeradius-Users mailing list