Tim Gustafson wrote: > I am running FreeRADIUS on FreeBSD 7.1 for my Cisco wireless APs to > authenticate against. The clients are using MSCHAPv2 and XP and Mac OSX (as > well as several wireless devices like iPhones and so on) are able to > authenticate against the WAPs just fine, but Vista is failing. In my log I > have: > > Auth: Login OK: [test] (from client ucsc-60-40 port 0 via TLS tunnel) > Auth: Login incorrect: [test/<via Auth-Type = EAP>] (from client foo port 519 > cli xxxx.xxxx.xxxx)
Don't look at radius.log to debug problems. Run in debugging mode. > I Googled for Vista/FreeRADIUS/MSCHAPv2 and found some kerfuffle about there > being problems with FreeRADIUS 1.1.3, but I'm running 2.0.5 so I'm assuming > that my server is not affected by the 1.1.3 problem. The kerfuffle seemed to > be related to a TLS problem, and based on the log entries above, it seems to > me that the TLS tunnel is working fine, but the encapsulated packet is not. Don't guess. Run in debugging mode and be sure. > Incidentally, we also tried on a Windows 7 Beta machine, which experienced > the exact same symptoms as the Vista machine. > > Also, this set-up was working in December and then stopped working somewhere > along the way. I'm wondering if perhaps Microsoft release some sort of "fix" > since then that actually broke something. They have been known to do that. They make gratuitous changes to the clients to ensure that they break compatibility with *all* non-MS RADIUS servers. They've done this multiple times. > And, just to be complete about it, if we point the WAP to an Active Directory > RADIUS server the set-up works as-is. Of course! Microsoft is compatible with themselves. > Any ideas what might be going on? Post the full debugging output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
