Re: PEAP or TTLS and Microsoft Vista.
Stefan Winter wrote: I've tried to follow Microsoft document[1] however I wasn't able to locate "Configuration Manager console". Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... "Protected EAP Properties" Window has three checkboxes near the bottom. The relevant one is labelled "Enable Quarantine Checks". Hm. This doesn't help. At least for Vista's built-in PEAP authentication. I do have those checkbox unchecked however it doesn't matter if they are checked or not - process stops after sending Access-Challenge. I'll try to debug this issue more with netsh ;-) later. OTOH i'll recommend my users to use secureW2 EAP suite (which works). Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP or TTLS and Microsoft Vista.
> -Oorspronkelijk bericht- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Namens Arran Cudbard-Bell > Verzonden: donderdag 24 juli 2008 15:59 > Aan: FreeRadius users mailing list > Onderwerp: Re: PEAP or TTLS and Microsoft Vista. > > SecureW2 (List) wrote: > > As I thought, I have being having trouble on the wired side when a MPPE > key > > is being sent by the server. > > > > It looks like this "confuses" the Vista client as when you are using > wired > > you usually don't need the MPPE key. > > > > Try disabling the MPPE key configuration in the Freeradius config so it > is > > not sent, I don't know how to do this though... ;) > > > > > No. Vista works fine with (PEAP/TTLS) & MSCHAPv2 + MPPE keys with 802.1x > on wired interfaces. The ~1000 or so Vista users on the 802.1x > authenticated portion of our wired network would agree (most using Vista > native supplicant). I've not seen any issues with XP SP3 either, on > wired or wireless. > Ah ok. As it turns out it is the NAS. > This is using FR 2.04 (Alan decided to 'fix' the proxying behaviour for > 2.05 and i've not had a chance to 'adjust' our configuration files yet). > > Were using certificates signed by 'Thawte Premium Server CA', and > performing, CA and certificate CN validation... all just works with > the exception of the odd vista box that *refuses* to do user > authentication and tries to perform machine authentication , ugh. For > those we use SecureW2, which also generally works fine with a *near* > default configuration. > I have not tested SW2 on wired yet due to lack of hardware so it is good to hear it works... :) > BTW from those traces your NAS looks broken if it's sending EAP Ident > requests after authentication has succeeded. > > Arran > > Tom > > > > > >> -----Oorspronkelijk bericht----- > >> Van: [EMAIL PROTECTED] > >> [mailto:freeradius-users- > [EMAIL PROTECTED] > >> Namens Lech Karol Pawlaszek > >> Verzonden: donderdag 24 juli 2008 13:23 > >> Aan: FreeRadius users mailing list > >> Onderwerp: Re: PEAP or TTLS and Microsoft Vista. > >> > >> SecureW2 (List) wrote: > >> > >>> http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx > >>> > >> Nice article. However I don't understand a few things. What's "pdb > >> "? I'm not good at Windows. > >> > >> > >>> To enable logging do the following: > >>> > >>> - Netsh wlan set tra yes > >>> - netsh ras set tr * en > >>> - Reproduce your problem > >>> - netsh ras set tr * dis > >>> - Netsh wlan set tra no > >>> > >> Well. I have problems with _wired_ connection so I've used "netsh lan" > >> instead "netsh wlan". I hope it's the right thing. > >> > >> > >>> If you go to the %windir%\tracing\wireless\ directory you will a load > of > >>> .etl files in different directories. > >>> > >> :-) yea. Which one is... hm... important? onex or eaphost? > >> > >> > >>> Use the tracerpt *.* command to change the .etl to readable .txt > files. > >>> > >> I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I > >> should search for. Any hints? > >> > >> > >>> PS. I don't like plugging like this but we are almost finished with > the > >>> latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and > EAP- > >>> > >> GTC > >> > >>> and has been tested quite extensively with Vista SP0/SP1. > >>> > >> Awesome. I hope it'll work with my Vista's... > >> > >> Kind regards, > >> > >> -- > >> Lech Karol Pawłaszek > >> "You will never see me fall from grace" [KoRn] > >> > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > -- > Arran Cudbard-Bell ([EMAIL PROTECTED]), > Authentication, Authorisation and Accounting Officer, > Infrastructure Services (IT Services), > E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT > DDI+FAX: +44 1273 873900 | INT: 3900 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
SecureW2 (List) wrote: As I thought, I have being having trouble on the wired side when a MPPE key is being sent by the server. It looks like this "confuses" the Vista client as when you are using wired you usually don't need the MPPE key. Try disabling the MPPE key configuration in the Freeradius config so it is not sent, I don't know how to do this though... ;) No. Vista works fine with (PEAP/TTLS) & MSCHAPv2 + MPPE keys with 802.1x on wired interfaces. The ~1000 or so Vista users on the 802.1x authenticated portion of our wired network would agree (most using Vista native supplicant). I've not seen any issues with XP SP3 either, on wired or wireless. This is using FR 2.04 (Alan decided to 'fix' the proxying behaviour for 2.05 and i've not had a chance to 'adjust' our configuration files yet). Were using certificates signed by 'Thawte Premium Server CA', and performing, CA and certificate CN validation... all just works with the exception of the odd vista box that *refuses* to do user authentication and tries to perform machine authentication , ugh. For those we use SecureW2, which also generally works fine with a *near* default configuration. BTW from those traces your NAS looks broken if it's sending EAP Ident requests after authentication has succeeded. Arran Tom -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Lech Karol Pawlaszek Verzonden: donderdag 24 juli 2008 13:23 Aan: FreeRadius users mailing list Onderwerp: Re: PEAP or TTLS and Microsoft Vista. SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's "pdb "? I'm not good at Windows. To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no Well. I have problems with _wired_ connection so I've used "netsh lan" instead "netsh wlan". I hope it's the right thing. If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. :-) yea. Which one is... hm... important? onex or eaphost? Use the tracerpt *.* command to change the .etl to readable .txt files. I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I should search for. Any hints? PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP- GTC and has been tested quite extensively with Vista SP0/SP1. Awesome. I hope it'll work with my Vista's... Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(SOLVED) Re: PEAP or TTLS and Microsoft Vista.
Phil Mayers wrote: Lech Karol Pawłaszek wrote: SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's "pdb "? I'm not good at Windows. Good lord... they've made the EAP logging *worse*. I didn't think that was possible. :-) [...] So, all is good. But about 5 seconds later: [2108] 12:04:03.819 OneXIndicatePacket [2108] 12:04:03.819 Port(38): Received an Eap packet length=5, type=EapRequestId, identifier=11, eapType=0 [4924] 12:04:03.820 Port(38): Restarting authentication due to reason = PeerInitiated similarly in eaphost.txt: [3432] 12:04:03.831 Received an identity request packet without an active session - restart auth Are you sure the problem is what you think it is? Ok. You rock. It's 3com's fault. At least I believe so. I've upgraded 3com 4500 switch firmware to the newest version on my test switch and when "user handshaking" is disabled everything works. FWIW the previous firmware (which I use on production atm) doesn't have an option to disable user handshaking. Pity. And to be clear - ALL OTHER OSes (namely MacOsX 10.4 Tiger, MacOsX 10.5 Leopard, GNU/Linux <> and MS Windows XP <>) work with this feature enabled. [...] Can you get a trace from both the windows machine and FreeRadius run under "-X" at the *same time*? The "freeradius.log" in your original email does not appear to be the same issue - that looks more like there are no compatible EAP types at both ends. Hm. The original "freeradius.log" contains logs when I tried to authenticate using Vista's built-in PEAP supplicant. Which - I suppose - says that Vista doesn't like my certificate. OTOH "freeradius-securew2.log" contains logs when I tried to use secureW2 EAP suite which showed server-side of this issue. I was able to connect. Work for a minute or so. And suddenly... switch sends 'handshake packet' which confuses Vista... and connection is dropped. Anyway. Thanks everyone for help. I'll make some more testing and try to update firmware on production. I'll let you know if everything will be ok. Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP or TTLS and Microsoft Vista.
As I thought, I have being having trouble on the wired side when a MPPE key is being sent by the server. It looks like this "confuses" the Vista client as when you are using wired you usually don't need the MPPE key. Try disabling the MPPE key configuration in the Freeradius config so it is not sent, I don't know how to do this though... ;) Tom > -Oorspronkelijk bericht- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Namens Lech Karol Pawlaszek > Verzonden: donderdag 24 juli 2008 13:23 > Aan: FreeRadius users mailing list > Onderwerp: Re: PEAP or TTLS and Microsoft Vista. > > SecureW2 (List) wrote: > > http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx > > Nice article. However I don't understand a few things. What's "pdb > "? I'm not good at Windows. > > > To enable logging do the following: > > > > - Netsh wlan set tra yes > > - netsh ras set tr * en > > - Reproduce your problem > > - netsh ras set tr * dis > > - Netsh wlan set tra no > > Well. I have problems with _wired_ connection so I've used "netsh lan" > instead "netsh wlan". I hope it's the right thing. > > > If you go to the %windir%\tracing\wireless\ directory you will a load of > > .etl files in different directories. > > :-) yea. Which one is... hm... important? onex or eaphost? > > > Use the tracerpt *.* command to change the .etl to readable .txt files. > > I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I > should search for. Any hints? > > > PS. I don't like plugging like this but we are almost finished with the > > latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP- > GTC > > and has been tested quite extensively with Vista SP0/SP1. > > Awesome. I hope it'll work with my Vista's... > > Kind regards, > > -- > Lech Karol Pawłaszek > "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
I've tried to follow Microsoft document[1] however I wasn't able to locate "Configuration Manager console". Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... "Protected EAP Properties" Window has three checkboxes near the bottom. The relevant one is labelled "Enable Quarantine Checks". Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Stefan Winter wrote: Hi, I noticed that the EAP debug speaks about quarantine states and such. XP3 and Vista have "Network Access Protection". Is that checkbox checked in your supplicant config? If yes, try unchecking it. I've tried to use netsh nap offline to disable Network Access Protection however the problem still occurs. I'm using Windows' built-in supplicant (for PEAP) which doesn't work probably because of a wrong certificate and secureW2 EAP suite 1.0.6 which doesn't have "Network Access Protection" checkbox. To be honest built-in PEAP doesn't have it as well. Or at least I couldn't find it. I've tried to follow Microsoft document[1] however I wasn't able to locate "Configuration Manager console". Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Lech Karol Pawłaszek wrote: SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's "pdb "? I'm not good at Windows. Good lord... they've made the EAP logging *worse*. I didn't think that was possible. It looks to me like the authentication is succeeding in those latest files; onex.txt says (at line 1367): [4924] 12:03:49.152 Port(38): Received an Eap packet length=4, type=EapSuccess, identifier=10, eapType=0 ..then a few lines later: [2896] 12:03:49.202 Port(38): MPPE-Send/Recv-Keys derived by supplicant [2896] 12:03:49.202 Port(38): The auth succeeded. Deleting all cached UI Responses [2896] 12:03:49.284 Port(38): Start processing local event: (PAESuppSuccess) [2896] 12:03:49.284 Port(38): Completed the 802.1X authentication successfully So, all is good. But about 5 seconds later: [2108] 12:04:03.819 OneXIndicatePacket [2108] 12:04:03.819 Port(38): Received an Eap packet length=5, type=EapRequestId, identifier=11, eapType=0 [4924] 12:04:03.820 Port(38): Restarting authentication due to reason = PeerInitiated similarly in eaphost.txt: [3432] 12:04:03.831 Received an identity request packet without an active session - restart auth Are you sure the problem is what you think it is? Also, I see in your windows logs reference to the securew2 supplicant; are you sure you haven't broken the EAP stack on the windows box? Maybe got it confused? Can you get a trace from both the windows machine and FreeRadius run under "-X" at the *same time*? The "freeradius.log" in your original email does not appear to be the same issue - that looks more like there are no compatible EAP types at both ends. I'm not in the office this week so can't try to reproduce it, but I have have a try next week. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Hi, I noticed that the EAP debug speaks about quarantine states and such. XP3 and Vista have "Network Access Protection". Is that checkbox checked in your supplicant config? If yes, try unchecking it. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's "pdb "? I'm not good at Windows. To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no Well. I have problems with _wired_ connection so I've used "netsh lan" instead "netsh wlan". I hope it's the right thing. If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. :-) yea. Which one is... hm... important? onex or eaphost? Use the tracerpt *.* command to change the .etl to readable .txt files. I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I should search for. Any hints? PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP-GTC and has been tested quite extensively with Vista SP0/SP1. Awesome. I hope it'll work with my Vista's... Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] eaphost.txt.gz Description: GNU Zip compressed data onex.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP or TTLS and Microsoft Vista.
http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. Use the tracerpt *.* command to change the .etl to readable .txt files. Tom PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP-GTC and has been tested quite extensively with Vista SP0/SP1. > -Oorspronkelijk bericht- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Namens Phil Mayers > Verzonden: woensdag 23 juli 2008 16:40 > Aan: FreeRadius users mailing list > Onderwerp: Re: PEAP or TTLS and Microsoft Vista. > > Alan DeKok wrote: > > Lech Karol Pawłaszek wrote: > >>> Vista and XP3 are broken. Microsoft does this deliberately. > >> Is there any way to un-break it? > > > > Ask Microsoft. I'll ask some of the people who may be (partially) > > responsible next week. > > > >> I know this is not the place to ask such questions however is there any > >> way to check what might "getting in the way"? > > > > Check the Windows EAP logs... there's a way to enable this, but I > > don't recall what it is. > > Under windows XP you can do it via "netsh"; I think the command is: > > netsh ras set tracing eapol enable > > I never found a way to do this under Vista, though the last time I > looked at Vista was a pre-release version. > > > > >> Or is there any other software besides Vista's built-in PEAP and > >> securew2 TTLS which can be used w/ 802.1x? > > > > Cisco, Juniper, etc. all have supplicants. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Alan DeKok wrote: Lech Karol Pawłaszek wrote: Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? Ask Microsoft. I'll ask some of the people who may be (partially) responsible next week. I know this is not the place to ask such questions however is there any way to check what might "getting in the way"? Check the Windows EAP logs... there's a way to enable this, but I don't recall what it is. Under windows XP you can do it via "netsh"; I think the command is: netsh ras set tracing eapol enable I never found a way to do this under Vista, though the last time I looked at Vista was a pre-release version. Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Cisco, Juniper, etc. all have supplicants. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Lech Karol Pawłaszek wrote: >> Vista and XP3 are broken. Microsoft does this deliberately. > > Is there any way to un-break it? Ask Microsoft. I'll ask some of the people who may be (partially) responsible next week. > I know this is not the place to ask such questions however is there any > way to check what might "getting in the way"? Check the Windows EAP logs... there's a way to enable this, but I don't recall what it is. > Or is there any other software besides Vista's built-in PEAP and > securew2 TTLS which can be used w/ 802.1x? Cisco, Juniper, etc. all have supplicants. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Alan DeKok wrote: Lech Karol Pawłaszek wrote: I've tested my configuration with eapol_test command (as suggested at this site[1]) and it works fine. I've tested it against MacOsX 10.4 and MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 and it works fine. It doesn't work with Windows Vista and Windows XP SP3. Please help! Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? I've tried to add server.cer to Vista however this doesn't help. I understand that it's Vista's and XP SP3's fault however I might be forced because of that to use Microsoft's solutions. Is there anyone who use FreeRADIUS w/ Vista for _WIRED_ connections? One more thing. If I won't use Windows' PEAP authorization and install securew2 and use securew2's auth - I am able to connect. Work for a minute or so and then NAS reports lost carrier and the connection is lost. Something else is going on there. The securew2 software Maybe the Vista wireless management is getting in the way, and hanging up on a perfectly valid connection. I know this is not the place to ask such questions however is there any way to check what might "getting in the way"? Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Lech Karol Pawłaszek wrote: > I've tested my configuration with eapol_test command (as suggested at > this site[1]) and it works fine. I've tested it against MacOsX 10.4 and > MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 > and it works fine. It doesn't work with Windows Vista and Windows XP > SP3. Please help! Vista and XP3 are broken. Microsoft does this deliberately. > One more thing. If I won't use Windows' PEAP authorization and install > securew2 and use securew2's auth - I am able to connect. Work for a > minute or so and then NAS reports lost carrier and the connection is lost. Something else is going on there. The securew2 software Maybe the Vista wireless management is getting in the way, and hanging up on a perfectly valid connection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
nf-vale wrote: > I'm also suffering from this Vista "disease". But in my case I can > authenticate users using PEAP, from XP SP2 and SP3 clients, even with > "Validating Server Certificate" checked. > > The problem is only with Vista. I've all the windows updates available > installed but I can't get it to work even with the "Validate Server > Certificate" unchecked. In short, Vista is broken. Again. It's a little hard to tell why it's broken. > The freeradius version that I'm using it's the 2.0.2, and I've tried > both with the radius "test" certificates and other, and the behavior is > exactly the same. Other people have gotten Vista to work with that configuration. Maybe it's an older version with different patches? > The radius log always shows the following: >... > Sending Access-Challenge of id 93 to 192.168.100.199 port 1024 ... > Finished request 11. > Going to the next request > Waking up in 0.9 seconds. > Waking up in 3.9 seconds. > Cleaning up request 10 ID 92 with timestamp +1627 Which means that Vista has decided for it's own "magical" reasons to stop talking to the RADIUS server. > Is there anything that I'm missing? Nope. Vista is broken. Microsoft does this in order to tell people that it works "better" with IAS than with other RADIUS servers. They've done this repeatedly with XP and with Vista. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
I'm also suffering from this Vista "disease". But in my case I can
authenticate users using PEAP, from XP SP2 and SP3 clients, even with
"Validating Server Certificate" checked.
The problem is only with Vista. I've all the windows updates available
installed but I can't get it to work even with the "Validate Server
Certificate" unchecked.
The freeradius version that I'm using it's the 2.0.2, and I've tried
both with the radius "test" certificates and other, and the behavior is
exactly the same.
The radius log always shows the following:
"...
rad_recv: Access-Request packet from host 192.168.100.199 port 1024,
id=93, length=340
Framed-MTU = 1480
NAS-IP-Address = 192.168.100.199
NAS-Identifier = "HP ProCurve Switch 2626-PWR"
User-Name = "teste"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 2
NAS-Port-Type = Ethernet
NAS-Port-Id = "2"
Called-Station-Id = "00-11-85-ad-b7-c0"
Calling-Station-Id = "00-1b-38-8f-40-aa"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x2a4cc8322ac0d1b35c7650bea0308dda
EAP-Message =
0x028c00741980006a1603010065016103014886730236b0840bd6df9358c1446c3e62e956de01ad320ddc04441dcf82d46218002f00350005000ac009c00ac013c0140032003800130004012a0008057465737465000a00080006001700180019000b00020100
Message-Authenticator = 0xd46becf93b1bcccd0402d3496f7f5721
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "teste", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 140 length 116
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
users: Matched entry teste at line 1
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for teste
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=teste)
expand: ou=People,dc=local,dc=loc -> ou=People,dc=local,dc=loc
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=local,dc=loc, with filter
(uid=teste)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 106
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0065], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 03b0], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 93 to 192.168.100.199 port 1024
EAP-Message =
0x018d040019c0040d160301004a02460301488672c8ac900c3f88d166a948b5ea07d6e9474d14c3e025ee5b661a96ca4ae4200d2218c482a7afc626cfa166eeac452729093fe79aa43dded4adb3f63518159b002f0016030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303732323233313734365a170d3039303732323233313734365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebb9bc08eac90bd234ec1ddeed261d2ee0a98c1fe1f2c3ef1cc9fb665496
EAP-Message =
0x8c122c5da0678d64eaaf118463b82422c7d7ad07cd049e0a94994b4ffc9c95a6ac5ce278d16d8e9fdeac51a4cca0c8cd78b71e1b282b188798209515da8d688cea3aaef56731d96975f8f99cbdd13d71ff792aa8b44040c4fe1b90aad77057a6b8cc2c238
PEAP or TTLS and Microsoft Vista.
Hello. I need your help. For the last few days I try to authenticate and authorize Microsoft Vista operating system against FreeRADIUS and 3com switch (as NAS) for wired authentication with no luck. I'm using FreeRADIUS 2.0.5 from sources built on Debian Etch GNU/Linux and certs made by bootstrap command (so those certs should have a bit of magic from xpextensions afaik). I try to make little steps and change as less as possible - to be honest I've only added user to the users file and client definition to the clients.conf file. I've tested my configuration with eapol_test command (as suggested at this site[1]) and it works fine. I've tested it against MacOsX 10.4 and MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 and it works fine. It doesn't work with Windows Vista and Windows XP SP3. Please help! What I have spotted is that the server sends "Access Challenge" and then on OSX dialog pops up where I can accept server's certificate and on Windows it's over. So I think it's the issue mentioned on this site[2] however i DO have Validate Server Certificate un-checked. One more thing. If I won't use Windows' PEAP authorization and install securew2 and use securew2's auth - I am able to connect. Work for a minute or so and then NAS reports lost carrier and the connection is lost. I've written about this issue about a year ago however this was put on-hold. You might want to look at logfiles from that tests. [1] - http://deployingradius.com/scripts/eapol_test/ [2] - http://deployingradius.com/documents/configuration/eap-problems.html [3] - http://lists.freeradius.org/pipermail/freeradius-users/2007-July/msg00096.html Any hints and tips much appreciated. I'm attaching two logfiles. The first one - freeradius.log - is the one where I'm trying to authenticate using system-wide PEAP. The second one, namely freeradius-securew2.log, is the one where switch receives Access-Accept and a few moments later switch sends back information that the carrier is lost. I've compressed both logfiles. I hope it's ok here. If it's not - please let me know. Thanks in advance. -- Lech Karol Pawłaszek "You will never see me fall from grace." [KoRn] freeradius.log.gz Description: GNU Zip compressed data freeradius-securew2.log.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
