One point of clarification: "PEAP uses TLS. PEAP needs certs too."
Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example. G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 10:52 AM To: [email protected] Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:26, Simon L. wrote: > Using WPA2-Enterprise results in Access-Rejects after one Request. That is not normal. WPA2 should be the same as WPA at the radius level. > Using WPA-Enterprise results in about nine different Access-Challanges > and one final Access-Accept - that cant be right. That is normal. EAP exchanges are usually 9/10 request/challenge pairs followed by a final request/accept. What exactly is your problem? > > I have set up a testing scenario with the local test user bob. If local > authentication works properly i want to proxy all requests without EAP > to another freeradius server. I will have questions to that later :) > > radtest from localhost an remotehost succeeded. Sorry - radtest does not do EAP. radtest is not a valid test. > I dont get a clue if the Problem is Windows, Certificates, Network oder > simply misconfigured freeradius. You haven't told us what the problem is. WPA-Enterprise is working for you - the radius server is sending an access-accept. What problem are you experiencing? > > certificates: > - i build the certs with and without that windows extension OID in > server.cnf with make from ../raddb/certs Why? You MUST include the OID. > - 2048 bit > > Windows 7: > - installed ca.der as root cert in win7 and configured it for the > desired WiFi network > - for my eyes no difference in debug logs if validate server cert or not. "Validate server cert" is done on the client. You won't see any difference on the server. > - unchecked using windows user or domain for auth > - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - > tls right? PEAP uses TLS. PEAP needs certs too. > > WAP: > - WPA2 Enterprise with AES no accept packet possible until now As above - that's not normal. The debug you sent contains no reject. Please send a debug for this case. > - WPA Enterprise with AES results in that 9-times Challenges until accept As above - this is normal Access-Accept means everything is working. If you are still having problems after the Access-Accept, you need to describe what those problems are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
