Hi Joy,
> We are in the process of testing support for MSCHAPv2 on our wireless > network. (We have been supporting only TTLS/PAP up to now.) > > > I have a radiator/ntlm configuration that works with MSCHAPv2 and > Windows7 and Windows Vista machines. We cannot get it to work with Mac > OS 10.6 or MacOS Lion or iPhones or iPads. > > > I have the radiator logs in debug mode and it looks like the ntlm > authentication is working just fine. There are no error messages but > the Mac OS X machine never gets an IP address. > > > It seems that our problem might be related to the Aruba access points > we are using because we have an engineer that has a different type of > access point set up at home with a windows radius server and his Mac > works ok there with MSCHAPv2. > > > I'm wondering if there are any known problems with Aruba equipment and > MSCHAPv2 and Mac OS 10.6 and higher? The Aruba equipment is showing a > "mic failure" towards the end of the negotiation. > > > We are running version 4.7 of radiator on a linux machine. We support both EAP-TTLS/PAP and PEAP with Radiator; Cisco wireless infrastructure. I remember we had to add a couple of config directives to our Radiator to keep the various PEAP implementations working. Perhaps the issue is not with your Aruba gear, but rather the interaction between Radiator and the OS X supplicant. Copy/paste from our handler that does the outer authentication for TTLS & PEAP: # You can make PEAP Version 1 support compatible with # nonstandard PEAP V1 clients that use the old broken TLS # encryption labels that appear to be used frequently, due # to Microsofts use of the incorrect label in its V0 client. # You should use this with Funk Odyssey Client version 4 # when EAPTLS_PEAPVersion is set to 1 EAPTLS_PEAPBrokenV1Label # workaround for a bug in some EAP TTLS supplicants, # (notably PBG4 on MAC OSX) EAPTTLS_NoAckRequired Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
