PEAP with Machine auth

Francois Gaudreault fgaudreault at inverse.ca
Wed Oct 26 15:59:57 CEST 2011


Hi,
> This kind of Q&A thing helps no one here!
I think it does...

> Many people are reporting the same issue on different platforms! I 
> don't think the problem is either with the client or the certificates 
> since I conducted some testing using the same client and the same 
> certificates but an old FR version (1.1.7) and the tests pass. It's 
> easier to blame something else but we could spend that time 
> contributing to the solution and so helping others!
Even more weird, we have had the same issue lately with one controller 
model, and not the other.  We were using the same config on the client, 
on the server, and the same certs.

I also tend to blame the client tho, maybe EAP is now more strict on the 
server side?  If you can point us a doc to enable the EAP debug under 
windows, I am sure many people (even myself) would be glad to troubleshoot.

>
>
>
> > Date: Wed, 26 Oct 2011 15:36:19 +0200
> > From: aland at deployingradius.com
> > To: freeradius-users at lists.freeradius.org
> > Subject: Re: PEAP with Machine auth
> >
> > Phil Mayers wrote:
> > > Seriously - it's important to understand that the CLIENT stops
> > > responding. FreeRADIUS can't do anything more in this case - the 
> client
> > > has stopped sending EAPOL packets, so the client must think that
> > > something is wrong.
> >
> > That's the main issue people have with RADIUS. The client is in
> > charge of pretty much everything, and few people understand that.
> >
> > Q: Why does the client stop talking to the server?
> > A: Because it doesn't like the response from the server
> >
> > Q: OK... *what* part of the response doesn't it like?
> > A: Go ask the client
> >
> > Q: But I can't! What do I do?
> > A: well... we don't know, either. Go ask Microsoft.
> >
> > > You will have to debug the client. This is very very painful on 
> Windows;
> > > it's hard to even find the EAPOL debugging options, let alone 
> interpret
> > > the results.
> >
> > Yes. Everyone reading this list should understand CLIENT issues cause
> > you to debug the CLIENT.
> >
> > If the server returns the wrong thing... you can fix the server. Fort
> > pretty much everything else, blame the client.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111026/a68ead24/attachment.html>


More information about the Freeradius-Users mailing list