For what it's worth, I'm not yet seeing these Vista PEAP issues with Cisco ACS (3.3)- but admittedly we have not tested all four thousand versions of Vista:)
Lee Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Frank Bulk <[EMAIL PROTECTED]> 3/27/2007 10:59 PM >>> Between the WIRELESS-LAN and RESNET-L listserv it seems like there are two issues with Vista and wireless. Problem: Client associates but is unable to obtain IP. Reason: Vista has changed they way Microsoft handles PEAP. The extra empty fragment (sent as a security measure by OpenSSL) confuses Vista such that the PEAP transaction doesn't complete. The RADIUS vendors have had to add support for the "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS" flag. This flag is required and described in more detail here: http://www.openssl.org/~bodo/tls-cbc.txt Resolution: Update/patch RADIUS server to latest version. FreeRADIUS 1.1.5 is out but it v1.1.4 already addressed this. It was fixed in Radiator 3.16 late last year. Note: Only applies to those using PEAP for authentication, not an issue for WEP or WPA/WPA2-PSK. There's also an unpublished Microsoft KB article, 932063, that seems to fix this. I'm still getting verification on this. Problem: Client associates but is unable to obtain IP from certain routers or from certain non-Microsoft DHCP servers Reason: This issue occurs because of a difference in design between Windows Vista and Microsoft Windows XP Service Pack 2 (SP2). Specifically, in Windows XP SP2, the BROADCAST flag in DHCP discovery packets is set to 0 (disabled). In Windows Vista, the BROADCAST flag in DHCP discovery packets is not disabled. This means that Vista asks for the DHCP offer to come back by broadcast, which may not work on some DHCP servers. Resolution: Disable the DHCP broadcast flag as documented here: http://support.microsoft.com/kb/928233/en-us Regards, Frank ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
