Win 7 IKEv2+PEAP = "no NPS server"?

Stefan Winter stefan.winter at
Thu Apr 8 16:25:49 CEST 2010


>   Go through the Windows GUI, and look for "health checks", or something
> like that... turn those off.

I suspected that as well, but NAP stuff is off. But now that I deleted
and re-created the VPN setup, it doesn't ask me again. Probably it
remembered my decision to "connect anyway" eternally. Grr.

>> (*) If you just select EAP-MSCHAPv2 (no inner tunnel), the end result at
>> the FR side is a crippled User-Name (which makes it impossible to auth
>> users).
>   Hmm... what does that mean?

Ah, I found something about that. strongswan forwards the EAP message in
RADIUS, and both of EAP-Resp/Identity and consequently User-Name are set
to the *IP address* of the connecting client (the non-tunnel one).
This looks like

rad_recv: Access-Request packet from host port 33044,
id=199, length=97
User-Name = " \001\n\030\000\000\004\003aW\025����\353"
EAP-Message = 0x020000150120010a1800000403615715fda1b3aeeb

when the client's public IP address is 2001:0a18:0000:0403:...

We're still trying to stop that from happening. Either it's windows
which thinks it has to identify itself with its IP address (even though
we're PEAPing here, and "Enable identity privacy" is set - so it is
explicitly told to use that string to authenticate), or it's strongswan
making this up by itself.

Anyway, not a FreeRADIUS problem.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list