Authentication issues with Win7 and WPA/WPA2 Enterprise

Phil Mayers p.mayers at imperial.ac.uk
Wed May 18 17:52:18 CEST 2011 

On 18/05/11 16:26, Simon L. wrote:

> Using WPA2-Enterprise results in Access-Rejects after one Request.

That is not normal. WPA2 should be the same as WPA at the radius level.


> Using WPA-Enterprise results in about nine different Access-Challanges
> and one final Access-Accept - that cant be right.

That is normal. EAP exchanges are usually 9/10 request/challenge pairs 
followed by a final request/accept.


What exactly is your problem?

>
> I have set up a testing scenario with the local test user bob. If local
> authentication works properly i want to proxy all requests without EAP
> to another freeradius server. I will have questions to that later :)
>
> radtest from localhost an remotehost succeeded.

Sorry - radtest does not do EAP. radtest is not a valid test.

> I dont get a clue if the Problem is Windows, Certificates, Network oder
> simply misconfigured freeradius.

You haven't told us what the problem is. WPA-Enterprise is working for 
you - the radius server is sending an access-accept. What problem are 
you experiencing?

>
> certificates:
> - i build the certs with and without that windows extension OID in
> server.cnf with make from ../raddb/certs

Why? You MUST include the OID.

> - 2048 bit
>
> Windows 7:
> - installed ca.der as root cert in win7 and configured it for the
> desired WiFi network
> - for my eyes no difference in debug logs if validate server cert or not.

"Validate server cert" is done on the client. You won't see any 
difference on the server.

> - unchecked using windows user or domain for auth
> - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap -
> tls right?

PEAP uses TLS. PEAP needs certs too.

>
> WAP:
> - WPA2 Enterprise with AES no accept packet possible until now

As above - that's not normal.

The debug you sent contains no reject. Please send a debug for this case.

> - WPA Enterprise with AES results in that 9-times Challenges until accept

As above - this is normal

Access-Accept means everything is working.

If you are still having problems after the Access-Accept, you need to 
describe what those problems are.

More information about the Freeradius-Users mailing list