802.1x on Active Directory: no errors in debug but auth fails

Domenico Viggiani dviggiani at tiscali.it
Mon Feb 7 14:52:24 CET 2011


> > > ..this is where it ends - an access challenge never gets responded
> to.
> > > do you have the
> > > CA of the RADIUS server installed on the client?
> > No but I disabled "Validate Server Certificate" on the client. Is it
> not
> > enough?
> 
> add the CA
Done but same problem. I read certs/README file with MANY other caveats
about Windows:

  - Windows requires certain OID's in the certificates.  If it doesn't
    see them, it will stop doing EAP.  The most visibile effect is
    that the client starts EAP, gets a few Access-Challenge packets,
    and then a little while later re-starts EAP.  If this happens, see
    the FAQ, and the comments in raddb/eap.conf for how to fix it.

  - Windows requires the root certificates to be on the client PC.
    If it doesn't have them, you will see the same issue as above.

  - Windows XP post SP2 has a bug where it has problems with
    certificate chains.  i.e. if the server certificate is an
    intermediate one, and not a root one, then authentication will
    silently fail, as above.

I'm sorry to blamed Freeradius.

I'm forced to abandone this project and resort to M$'NAP server :(

Thanks
--
DV




More information about the Freeradius-Users mailing list