Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP

Alan DeKok aland at
Tue Aug 7 06:48:54 CEST 2012

PENZ Robert wrote:
> The problem now is that in 1/3 of the clients boots (done over 40 times
> with a tap devices running as sniffer) the Windows Client sends an
> response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP.
> After this the freeradius Server sends a reject ([eap] NAK asked for
> unsupported type PEAP).

  Either configure PEAP, or fix the client to stop asking for PEAP.

> In the 2/3 of the cases it works the Client does not send a NAK, so I
> believe it is a client problem but it’s Windows 7 … there must be
> thousands of installs with Windows 7 and 802.1x EAP/TLS.

  It's definitely a client problem.

> Would it help
> if freeradius ignores the EAP-NAK packets? Any help appreciated!

  That wouldn't help.

  My suggestion is to do a re-install on the client.  Other Windows 7
machines don't behave this way.

  Alan DeKok.

More information about the Freeradius-Users mailing list