Win 7 IKEv2+PEAP = "no NPS server"?
Alan DeKok
aland at deployingradius.com
Thu Apr 8 16:47:27 CEST 2010
Stefan Winter wrote:
> Ah, I found something about that. strongswan forwards the EAP message in
> RADIUS, and both of EAP-Resp/Identity and consequently User-Name are set
> to the *IP address* of the connecting client (the non-tunnel one).
> This looks like
>
> rad_recv: Access-Request packet from host 158.64.1.13 port 33044,
> id=199, length=97
> User-Name = " \001\n\030\000\000\004\003aW\025����\353"
> EAP-Message = 0x020000150120010a1800000403615715fda1b3aeeb
>
> when the client's public IP address is 2001:0a18:0000:0403:...
That is an absolutely horrible thing to do. They should fix that ASAP.
> We're still tryinto stop that from happening. Either it's windows
> which thinks it has to identify itself with its IP address (even though
> we're PEAPing here, and "Enable identity privacy" is set - so it is
> explicitly told to use that string to authenticate), or it's strongswan
> making this up by itself.
>
> Anyway, not a FreeRADIUS problem.
I've had conversations with the Strongswan people, and met them in
person. So if you have issues, CC me in email...
Alan DeKok.
More information about the Freeradius-Users
mailing list