We have ACS v4.0(1) Build 27 and have not heard any major issues with Vista. I'm sure we have a few Vista users b/c we have heard issues with the Cisco WiSM login page.
Luck? Possibly. -------------------------------------------------------------------------------- Lelio Fulgenzi, B.A. Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ...there's no such thing as a bad timbit... ----- Original Message ----- From: Frank Bulk To: [email protected] Sent: Wednesday, March 28, 2007 8:51 AM Subject: Re: [WIRELESS-LAN] Wireless and Vista - recap I reviewed the release notes fir ACS v4.1 but didn't see any mention of the "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS" flag. I also heard nothing about IAS, Funk Odyssey, or Meetinghouse. Perhaps others on this list can pipe in with their success/failure surrounding PEAPv0/MSCHAPv2 and Vista. Frank -----Original Message----- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 7:09 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Wireless and Vista - recap For what it's worth, I'm not yet seeing these Vista PEAP issues with Cisco ACS (3.3)- but admittedly we have not tested all four thousand versions of Vista:) Lee Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Frank Bulk <[EMAIL PROTECTED]> 3/27/2007 10:59 PM >>> Between the WIRELESS-LAN and RESNET-L listserv it seems like there are two issues with Vista and wireless. Problem: Client associates but is unable to obtain IP. Reason: Vista has changed they way Microsoft handles PEAP. The extra empty fragment (sent as a security measure by OpenSSL) confuses Vista such that the PEAP transaction doesn't complete. The RADIUS vendors have had to add support for the "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS" flag. This flag is required and described in more detail here: http://www.openssl.org/~bodo/tls-cbc.txt Resolution: Update/patch RADIUS server to latest version. FreeRADIUS 1.1.5 is out but it v1.1.4 already addressed this. It was fixed in Radiator 3.16 late last year. Note: Only applies to those using PEAP for authentication, not an issue for WEP or WPA/WPA2-PSK. There's also an unpublished Microsoft KB article, 932063, that seems to fix this. I'm still getting verification on this. Problem: Client associates but is unable to obtain IP from certain routers or from certain non-Microsoft DHCP servers Reason: This issue occurs because of a difference in design between Windows Vista and Microsoft Windows XP Service Pack 2 (SP2). Specifically, in Windows XP SP2, the BROADCAST flag in DHCP discovery packets is set to 0 (disabled). In Windows Vista, the BROADCAST flag in DHCP discovery packets is not disabled. This means that Vista asks for the DHCP offer to come back by broadcast, which may not work on some DHCP servers. Resolution: Disable the DHCP broadcast flag as documented here: http://support.microsoft.com/kb/928233/en-us Regards, Frank ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
