No EAP/TLS with XP SP3 since End December

Phil Mayers p.mayers at
Mon Jan 3 12:31:26 CET 2011

On 01/03/2011 11:09 AM, Alexandros Gougousoudis wrote:
> Alan DeKok schrieb:
>>    See if your certificate has expired.
> Nope, that was the first I've checked. Server and client-cert are still
> valid. It seems, that no XP client (even some old SP2 clients) can logon
> anymore, Ubuntu can.
> Is there some possibility to force a  "Login OK" as a Default-Action in
> the "users"-file? That could take out the pressure here.

No. EAP must complete successfully - it is a challenge/response. You 
can't just skip to the end of the "response".

To be clear, all windows clients fail? But other clients succeed?

It is possible a windows update has removed the intermediate certificate 
from the client(s). IIRC Microsoft have done this in the past, expecting 
the intermediate CA to be provided during TLS negotiation. In this case, 
you need to have the correct CA (chain) at the FreeRadius side. Have you 
got this configured correctly?

It won't help running such an old version of FreeRadius.

More information about the Freeradius-Users mailing list