Certificate problem between 3.0.11 and 3.1.x
Jonathan Gazeley
Jonathan.Gazeley at bristol.ac.uk
Wed Mar 16 15:23:56 CET 2016
On 15/03/16 16:06, Jonathan Gazeley wrote:
> On 15/03/16 16:00, Matthew Newton wrote:
>> On Tue, Mar 15, 2016 at 03:53:25PM +0000, Jonathan Gazeley wrote:
>>> On 15/03/16 15:47, Arran Cudbard-Bell wrote:
>>>> Any idea what machine auth actually is. Is it something weird like
>>>> EAP-TLS in EAP-TLS?
>>>
>>> It's EAP-PEAP using the default Windows supplicant.
>>
>> What's the inner? MSCHAPv2 or EAP-TLS.
>
> MSCHAPv2.
>>
>> i.e "Machine auth" with domain credentials (machine account p/w)
>> or certificates?
>
> With domain credentials.
>>
>> PEAP/EAP-TLS runs into MTU issues as Arran said, but I'd expect
>> that to be the same on 3.0.x and 3.1.x. But you probably need to
>> enable debugging on the Windows supplicant side and see what it's
>> complaining about.
>
> Groan. I'm not a Windows guy :)
>
> I'm just puzzled by the apparent difference in behaviour between 3.0.11
> and 3.1.x when neither the certificates nor the clients have been
> changed. I'll keep looking.
Well, I wasn't able to get any useful debugging information out of
Windows so we have reluctantly taken the decision to revert from
bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were
having by avoiding it. We'll revisit this when 3.2.x is released.
Thanks to everyone who helped with our troubleshooting.
Jonathan
More information about the Freeradius-Users
mailing list