(RADIATOR) Anyone get EAP-PEAP on XP to work Radius?

Bon sy bon at bunny.cs.qc.edu
Sat Mar 8 07:36:15 CST 2003


Hi Christian, John, and Mike,

	I have a similar problem as John on getting the 802.1X client of
XP to work with the radius via Cisco 350 AP -- except I am looking into
EAP-TLS. 

	I have the same setup on the 802.1x client side. I follow the
document reference mentioned in eap_tls.cfg for the setup, but no luck. I
talked to Mike and he emailed me the screen shot of the Cisco (340?) AP
set up required to work with the EAP-TLS. I follow that and use the
certificate Hugh mentioned not too long along for the test. Still no luck.

	When I initially config the AP and check both EAP and Mac
authentication in the "security tab" of the AP setup, I kept getting
radius response on MAC authentication, and EAP authentication does not
seem to happen. So, I thought it could be the certificate issue or the AP
just ignore the EAP authentication because MAC authentication is also
checked. 

	Next what I do is to uncheck MAC authentication and leave only EAP
authentication, and use the test certificate Huge posted so that it
eliminates the possibility of the problem that is due to certificate 
generation. With that, radius does not even get the rquest response. A
minor side note, I did make sure to use the right certificate in the XP
machine. So, if assuming the screen shot Mike sent me is complete, the
only possible conclusion left is the XP side. But as of now, I could not
find any document addressing similar problems. John's posting is as close
to my problem as I can find. 

	Anyone out there has any insights? Thanks in advance!

Bon


On Fri, 7 Mar 2003, Christian Wiedmann wrote:

> Your settings sound fine.  I have PEAP authentication working with the same
> setup on XP Home (SP1).  I don't think that it matters whether the authenticate
> as computer or authenticate as guest boxes are checked (except that obviously
> it's going to fail to authenticate if you don't have them configured in
> Radiator).
> 
> Are you sure you're getting a TLS tunnel?  The TLS tunnel isn't established
> until the first identity exchange, which normally only happens after you enter
> information in the login window.  If you actually are getting to the TLS stage,
> Windows must have credentials from somewhere - double check the MSCHAP-V2
> settings to make sure it isn't using your Windows login information.
> 
> What AP are you using?  If it is a Linksys WRT51AB or similar, I've discovered
> that the AP requires a State attribute to be in the Radius replies.  I've
> modified my version of Radiator to add one.  I'm not sure if there is a cfg-
> file way of doing this -- I actually modified the perl code.
> 
> 	-Christian
> 
> On Fri, 7 Mar 2003, John McFadden wrote:
> 
> > Date: Fri, 07 Mar 2003 14:16:44 -0500
> > From: John McFadden <dasjlm at uwo.ca>
> > To: radiator at open.com.au
> > Subject: (RADIATOR) Anyone get EAP-PEAP on XP to work Radius?
> > 
> > I installed lastest Service Pack on XP to get the built in 802.1x client 
> > but can't seem to get it to
> > authenticate via Radius. It appears that I get a TLS tunnel but never 
> > get a logon popup on XP.
> > 
> > I believe it is some kind of setup issue on XP not Radiator so I just 
> > would like to
> > verify my XP setup before getting into Radiator.
> > 
> > I started the Wireless Zero Config service.
> > 
> > I clicked on the applicable connection and it's  property button.
> > 
> > In the authentication tab (confirms the Wireless Zero Config installed 
> > and running.)
> > -I clicked on Enable IEEE802.1x
> > -I selected Protected EAP (PEAP)
> > -I left off Authenticate as computer
> > -I left off Authenticate as guest
> > 
> > 
> > In the peap properties tabe.
> > -I left off validate server certficate - I assume not required for 
> > EAP-PEAP?  Is this my problem?
> > -I selected EAP-MSCHAPV2 as authentication method.
> > 
> > In the EAP-MSCHAPV2 properities I left off the use Windows userid, 
> > password and domain.
> > 
> > Can someone comment confirm this setup should work?
> > 
> > 
> > 
> > Thanks in advance.
> > 
> > John McFadden
> > 
> > 
> > 
> > 
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> > 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list