Authentication issues with Win7 and WPA/WPA2 Enterprise

Wed May 18 17:59:00 CEST 2011

One point of clarification:

"PEAP uses TLS. PEAP needs certs too."

Not *all* peap uses TLS and hence needs certs.  The MS PEAP/MSCHAPv2 is a common example.

G

-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Wednesday, May 18, 2011 10:52 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

On 18/05/11 16:26, Simon L. wrote:

> Using WPA2-Enterprise results in Access-Rejects after one Request.

That is not normal. WPA2 should be the same as WPA at the radius level.

> Using WPA-Enterprise results in about nine different Access-Challanges
> and one final Access-Accept - that cant be right.

That is normal. EAP exchanges are usually 9/10 request/challenge pairs 
followed by a final request/accept.

What exactly is your problem?

>
> I have set up a testing scenario with the local test user bob. If local
> authentication works properly i want to proxy all requests without EAP
> to another freeradius server. I will have questions to that later :)
>
> radtest from localhost an remotehost succeeded.

Sorry - radtest does not do EAP. radtest is not a valid test.

> I dont get a clue if the Problem is Windows, Certificates, Network oder
> simply misconfigured freeradius.

You haven't told us what the problem is. WPA-Enterprise is working for 
you - the radius server is sending an access-accept. What problem are 
you experiencing?

>
> certificates:
> - i build the certs with and without that windows extension OID in
> server.cnf with make from ../raddb/certs

Why? You MUST include the OID.

> - 2048 bit
>
> Windows 7:
> - installed ca.der as root cert in win7 and configured it for the
> desired WiFi network
> - for my eyes no difference in debug logs if validate server cert or not.

"Validate server cert" is done on the client. You won't see any 
difference on the server.

> - unchecked using windows user or domain for auth
> - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap -
> tls right?

PEAP uses TLS. PEAP needs certs too.

>
> WAP:
> - WPA2 Enterprise with AES no accept packet possible until now

As above - that's not normal.

The debug you sent contains no reject. Please send a debug for this case.

> - WPA Enterprise with AES results in that 9-times Challenges until accept

As above - this is normal

Access-Accept means everything is working.

If you are still having problems after the Access-Accept, you need to 
describe what those problems are.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>