Re: WPA Peap problems with Vista (yet again)

2008-04-04 Thread Alan DeKok
Michael Torrie wrote:
> Yet I still have the problem where after the Access-Challenge is sent,
> the Vista clients just silently drop things and the connection fails.
> This is the behavior that I know I would get if I don't have the
> required OID in the certificate.   Yet it is there!  I ran 'openssl x509
> -in /path/to/cert.crt -noout -text' and it shows the extended usage as
> I'd expect.  For some reason openssl calls it TLS Web Server
> Authentication. 

  That's the right one.

> Any ideas?  Debug output is:

  Pretty standard.

> Any ideas on how to better debug and fix this major problem for me?

  Ask Vista why it's not authenticating... there isn't much else you can
do on the RADIUS server to debug the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


WPA Peap problems with Vista (yet again)

2008-04-04 Thread Michael Torrie
I've read through the list archives about people's problems with Vista
and FreeRadius, including the recent messages on this list in January,
and a couple of exchanges back in 2006 and 2007.  I am running
FreeRadius 1.1.7 on a RHEL 4 box, compiled from Fedora 8's FreeRadius
SRPM.  According to the changelog, the patch/hack to get around Vista's
broken SSL fragment handling has been in FreeRadius since 1.1.4, so
we're good there.  I also read the big warning in the eap.conf file and
have ensured that my certificate indeed does have the proper OID that
Microsoft requires.  The setup (1.1.5 before, and 1.1.7 now) has been
working fine for XP SP2 for years.

Yet I still have the problem where after the Access-Challenge is sent,
the Vista clients just silently drop things and the connection fails.
This is the behavior that I know I would get if I don't have the
required OID in the certificate.   Yet it is there!  I ran 'openssl x509
-in /path/to/cert.crt -noout -text' and it shows the extended usage as
I'd expect.  For some reason openssl calls it TLS Web Server
Authentication.  Thinking that it was still wrong, I did as was
suggested on the list in January, and downloaded FreeRadius 2.0.3 and
created a self-signed cert with those tools.  It looks the exact same,
so I know the OID is right.

Any ideas?  Debug output is:
Sending Access-Challenge of id 90 to 192.168.4.10 port 21702
EAP-Message = 0x010800061900
Message-Authenticator = 0x
State = 0xdf09144102cbf146277d93e7d554a782
Finished request 1939
Going to the next request

Any ideas on how to better debug and fix this major problem for me?

thanks,

Michael
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html