Win 7 IKEv2+PEAP = "no NPS server"?

Alan DeKok aland at
Thu Apr 8 16:47:27 CEST 2010

Stefan Winter wrote:
> Ah, I found something about that. strongswan forwards the EAP message in
> RADIUS, and both of EAP-Resp/Identity and consequently User-Name are set
> to the *IP address* of the connecting client (the non-tunnel one).
> This looks like
> rad_recv: Access-Request packet from host port 33044,
> id=199, length=97
> User-Name = " \001\n\030\000\000\004\003aW\025����\353"
> EAP-Message = 0x020000150120010a1800000403615715fda1b3aeeb
> when the client's public IP address is 2001:0a18:0000:0403:...

  That is an absolutely horrible thing to do.  They should fix that ASAP.

> We're still tryinto stop that from happening. Either it's windows
> which thinks it has to identify itself with its IP address (even though
> we're PEAPing here, and "Enable identity privacy" is set - so it is
> explicitly told to use that string to authenticate), or it's strongswan
> making this up by itself.
> Anyway, not a FreeRADIUS problem.

  I've had conversations with the Strongswan people, and met them in
person.  So if you have issues, CC me in email...

  Alan DeKok.

More information about the Freeradius-Users mailing list