Initial test results passing PEAP et al to FR (vs. Aruba terminating PEAP) and "proxying" MSCHAP APPEAR to work well. Testing is by no means 100% complete, but so far so good. Scenarios that used to result in a reject are now working as expected. I had an initial problem 'cause I installed this to /devel/ to test with and I mucked something up and many files and dirs ended up directly unders /devel instead of for instance /devel/raddb/. I created raddb and copied certs there and it was more happy.
FWIW: We are NOT using client certs at this time, we are using the PEAP/MSCHAPv2 and "use my windows credentials" option. Thanks! Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Wednesday, May 18, 2011 12:41 PM To: '[email protected]' Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? We will be testing passing the entire *eap session to FR this afternoon. ----- Original Message ----- From: Phil Mayers [mailto:[email protected]] Sent: Wednesday, May 18, 2011 12:29 PM To: [email protected] <[email protected]> Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: > I would LOVE if W7 just worked! People here are blaming FR and I'm > trying to convince them it has nothing to do with it, but since the > MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
