Hello, Thank you. It works with XP and FreeEADIUS using EAP/MD5. We found the problem from "EAP's id". Supplicant(Windows XP) is disturbed by EAP's id. AP -> XP EAP/Request identity (id=1) XP -> AP -> FR EAP/Response identity/RADIUS Access Request (id=1) and FR RADIUS/challenge (id also is 1), XP is confused and sends EAP/Reponse identity again. The AP's vendor has fixed it by changing initial EAP/Request identity EAP id to 0. :p But it works fine with XP and Win2k RADIUS.
Sigh... Although EAP/MD5 is insecure, it's convenient to use for general users. Because dynamic generation of WEP keys needed in some vendors' AP is not supported in FR, I can't use EAP/TLS. :~~ (EAP module doesnot send "MS-MPPE.." with the Access-Accept packet) Any good news about dynamic generation of WEP keys ? :) Thank you very much. Sincerely, -- Wayne Ying-Jui Lee > ----- Original Message ----- > From: "McNutt, Justin M." <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, April 24, 2002 7:30 PM > Subject: RE: EAP/MD5 with XP & FreeRADIUS > > > > Has someone ever tried EAP/MD5 working with Windows XP > > and FreeRADIUS? > > Yes. It works... if configured properly on both sides. > > > I found something strange.. > > "EAPOL start" -> Identity Request and Reply..... > > After FreeRADIUS sends "challenge" and Access Point > > forwards it, it > > seems XP doesn't > > understand "challenge" and XP sends "identity reply" again.... > > The authentication procedure becomes a loop and wouldn't end. > > What does your RADIUS configuration look like? Specifically: > > 1) Do you have EAP enabled in your radius.conf file? > > 2) Do you have the NAS (the Access Point) defined in your clients.conf file > (along with the correct shared secret)? > > 3) What does this user's entry look like in the users file? > > > Is it a problem of Windows XP? > > It's ok if I use XP + Windows 2000 RADIUS. > > Excuse me for disturbing us. Thank you. > > Not a problem. It's most likely the configuration on one side or another. > Several people have been able to get EAP/MD5 to work with Windows XP. > > One thing to remember, though: EAP/MD5 is a rather insecure method of doing > things, even with Windows 2000 RADIUS, because each user's password is > stored on the RADIUS server in a decryptable (or even cleartext!) format. > It is better to use EAP/TLS, which also works with FreeRADIUS and Windows > XP. > > --J > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
