PEAP/MSCHAPv2 problem
Alan DeKok
aland at deployingradius.com
Tue Apr 5 10:22:33 CEST 2011
Jürgen Stader wrote:
> OK, once again; i have cloned a radius-server vm, the new radius-server
> has a new DNS-Entry, IP and a new certificate.
Well, that's likely the problem. Have you tried using the *working*
certificate in the new machine?
> The wlan-ssid is
> different from that one wich is used by the original radius.
I see. You've changed a number of things at the same time, and are
trying to understand why it isn't working. That isn't good practice.
> I checked both certificates, they match the requirements given by
> microsoft. The certificates are both singed by same CA, with same O,OU,
> hash-algorithm, key strength... CN is logically different and is set to
> host and dns name (are the same) from the new radius, like:
> CN=new-radius.mydomain.mycountry
The certificates are checked before the supplicant is on the network.
Hostname and DNS names are irrelevant.
> The complete certification path is installed on the client. The client
> don't have an extra client certificate, server certificate check is
> turned off in wireless settings.
> A cisco wireless controller is used for both SSIDs.
>
> Original radius works fine, with both SSIDs, new radius does not.
> So what's wrong?
The debug log points you a page on the Wiki. The Wiki contains
complete instructions for debugging it both on the server side, and on
the supplicant side.
Alan DeKok.
More information about the Freeradius-Users
mailing list