On Fri, Jan 23, 2009 at 08:55:32AM +0100, Alan DeKok wrote: > Tim Gustafson wrote: > > I am running FreeRADIUS on FreeBSD 7.1 for my Cisco wireless APs to > > authenticate against. The clients are using MSCHAPv2 and XP and Mac OSX > > (as well as several wireless devices like iPhones and so on) are able to > > authenticate against the WAPs just fine, but Vista is failing. In my log I > > have: > > > > Auth: Login OK: [test] (from client ucsc-60-40 port 0 via TLS tunnel) > > Auth: Login incorrect: [test/<via Auth-Type = EAP>] (from client foo port > > 519 cli xxxx.xxxx.xxxx) > > Don't look at radius.log to debug problems. Run in debugging mode. > > > I Googled for Vista/FreeRADIUS/MSCHAPv2 and found some kerfuffle about > > there being problems with FreeRADIUS 1.1.3, but I'm running 2.0.5 so I'm > > assuming that my server is not affected by the 1.1.3 problem. The > > kerfuffle seemed to be related to a TLS problem, and based on the log > > entries above, it seems to me that the TLS tunnel is working fine, but the > > encapsulated packet is not. > > Don't guess. Run in debugging mode and be sure. > > > Incidentally, we also tried on a Windows 7 Beta machine, which experienced > > the exact same symptoms as the Vista machine. > > > > Also, this set-up was working in December and then stopped working > > somewhere along the way. I'm wondering if perhaps Microsoft release some > > sort of "fix" since then that actually broke something. > > They have been known to do that. They make gratuitous changes to the > clients to ensure that they break compatibility with *all* non-MS RADIUS > servers. They've done this multiple times. > > > And, just to be complete about it, if we point the WAP to an Active > > Directory RADIUS server the set-up works as-is. > > Of course! Microsoft is compatible with themselves. > > > Any ideas what might be going on? > > Post the full debugging output. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > For what it is worth, we are running Freeradius 2.1.3 using Cisco wireless APs with PEAP/MSCHAPv2 and TTLS/PAP and are not having any problems. I will say, that the full debug output is very useful in determining any problems and how to resolve them.
Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
