FreeRADIUS + MSCHAPv2 + Vista
ktm at rice.edu
Fri Jan 23 15:06:55 CET 2009
On Fri, Jan 23, 2009 at 08:55:32AM +0100, Alan DeKok wrote:
> Tim Gustafson wrote:
> > I am running FreeRADIUS on FreeBSD 7.1 for my Cisco wireless APs to authenticate against. The clients are using MSCHAPv2 and XP and Mac OSX (as well as several wireless devices like iPhones and so on) are able to authenticate against the WAPs just fine, but Vista is failing. In my log I have:
> > Auth: Login OK: [test] (from client ucsc-60-40 port 0 via TLS tunnel)
> > Auth: Login incorrect: [test/<via Auth-Type = EAP>] (from client foo port 519 cli xxxx.xxxx.xxxx)
> Don't look at radius.log to debug problems. Run in debugging mode.
> > I Googled for Vista/FreeRADIUS/MSCHAPv2 and found some kerfuffle about there being problems with FreeRADIUS 1.1.3, but I'm running 2.0.5 so I'm assuming that my server is not affected by the 1.1.3 problem. The kerfuffle seemed to be related to a TLS problem, and based on the log entries above, it seems to me that the TLS tunnel is working fine, but the encapsulated packet is not.
> Don't guess. Run in debugging mode and be sure.
> > Incidentally, we also tried on a Windows 7 Beta machine, which experienced the exact same symptoms as the Vista machine.
> > Also, this set-up was working in December and then stopped working somewhere along the way. I'm wondering if perhaps Microsoft release some sort of "fix" since then that actually broke something.
> They have been known to do that. They make gratuitous changes to the
> clients to ensure that they break compatibility with *all* non-MS RADIUS
> servers. They've done this multiple times.
> > And, just to be complete about it, if we point the WAP to an Active Directory RADIUS server the set-up works as-is.
> Of course! Microsoft is compatible with themselves.
> > Any ideas what might be going on?
> Post the full debugging output.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
For what it is worth, we are running Freeradius 2.1.3 using Cisco
wireless APs with PEAP/MSCHAPv2 and TTLS/PAP and are not having any
problems. I will say, that the full debug output is very useful in
determining any problems and how to resolve them.
More information about the Freeradius-Users