Hi, > Go through the Windows GUI, and look for "health checks", or something > like that... turn those off. >
I suspected that as well, but NAP stuff is off. But now that I deleted and re-created the VPN setup, it doesn't ask me again. Probably it remembered my decision to "connect anyway" eternally. Grr. >> (*) If you just select EAP-MSCHAPv2 (no inner tunnel), the end result at >> the FR side is a crippled User-Name (which makes it impossible to auth >> users). >> > Hmm... what does that mean? > Ah, I found something about that. strongswan forwards the EAP message in RADIUS, and both of EAP-Resp/Identity and consequently User-Name are set to the *IP address* of the connecting client (the non-tunnel one). This looks like rad_recv: Access-Request packet from host 158.64.1.13 port 33044, id=199, length=97 User-Name = " \001\n\030\000\000\004\003aW\025����\353" EAP-Message = 0x020000150120010a1800000403615715fda1b3aeeb when the client's public IP address is 2001:0a18:0000:0403:... We're still trying to stop that from happening. Either it's windows which thinks it has to identify itself with its IP address (even though we're PEAPing here, and "Enable identity privacy" is set - so it is explicitly told to use that string to authenticate), or it's strongswan making this up by itself. Anyway, not a FreeRADIUS problem. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html