(RADIATOR) Anyone get EAP-PEAP on XP to work Radius?

Denis Pavani d.pavani at cineca.it
Tue Mar 11 03:26:07 CST 2003


Did you install user certificates on XP?

Bon sy wrote:

>Hi Christian, John, and Mike,
>
>	I have a similar problem as John on getting the 802.1X client of
>XP to work with the radius via Cisco 350 AP -- except I am looking into
>EAP-TLS. 
>
>	I have the same setup on the 802.1x client side. I follow the
>document reference mentioned in eap_tls.cfg for the setup, but no luck. I
>talked to Mike and he emailed me the screen shot of the Cisco (340?) AP
>set up required to work with the EAP-TLS. I follow that and use the
>certificate Hugh mentioned not too long along for the test. Still no luck.
>
>	When I initially config the AP and check both EAP and Mac
>authentication in the "security tab" of the AP setup, I kept getting
>radius response on MAC authentication, and EAP authentication does not
>seem to happen. So, I thought it could be the certificate issue or the AP
>just ignore the EAP authentication because MAC authentication is also
>checked. 
>
>	Next what I do is to uncheck MAC authentication and leave only EAP
>authentication, and use the test certificate Huge posted so that it
>eliminates the possibility of the problem that is due to certificate 
>generation. With that, radius does not even get the rquest response. A
>minor side note, I did make sure to use the right certificate in the XP
>machine. So, if assuming the screen shot Mike sent me is complete, the
>only possible conclusion left is the XP side. But as of now, I could not
>find any document addressing similar problems. John's posting is as close
>to my problem as I can find. 
>
>	Anyone out there has any insights? Thanks in advance!
>
>Bon
>
>
>On Fri, 7 Mar 2003, Christian Wiedmann wrote:
>
>  
>
>>Your settings sound fine.  I have PEAP authentication working with the same
>>setup on XP Home (SP1).  I don't think that it matters whether the authenticate
>>as computer or authenticate as guest boxes are checked (except that obviously
>>it's going to fail to authenticate if you don't have them configured in
>>Radiator).
>>
>>Are you sure you're getting a TLS tunnel?  The TLS tunnel isn't established
>>until the first identity exchange, which normally only happens after you enter
>>information in the login window.  If you actually are getting to the TLS stage,
>>Windows must have credentials from somewhere - double check the MSCHAP-V2
>>settings to make sure it isn't using your Windows login information.
>>
>>What AP are you using?  If it is a Linksys WRT51AB or similar, I've discovered
>>that the AP requires a State attribute to be in the Radius replies.  I've
>>modified my version of Radiator to add one.  I'm not sure if there is a cfg-
>>file way of doing this -- I actually modified the perl code.
>>
>>	-Christian
>>
>>On Fri, 7 Mar 2003, John McFadden wrote:
>>
>>    
>>
>>>Date: Fri, 07 Mar 2003 14:16:44 -0500
>>>From: John McFadden <dasjlm at uwo.ca>
>>>To: radiator at open.com.au
>>>Subject: (RADIATOR) Anyone get EAP-PEAP on XP to work Radius?
>>>
>>>I installed lastest Service Pack on XP to get the built in 802.1x client 
>>>but can't seem to get it to
>>>authenticate via Radius. It appears that I get a TLS tunnel but never 
>>>get a logon popup on XP.
>>>
>>>I believe it is some kind of setup issue on XP not Radiator so I just 
>>>would like to
>>>verify my XP setup before getting into Radiator.
>>>
>>>I started the Wireless Zero Config service.
>>>
>>>I clicked on the applicable connection and it's  property button.
>>>
>>>In the authentication tab (confirms the Wireless Zero Config installed 
>>>and running.)
>>>-I clicked on Enable IEEE802.1x
>>>-I selected Protected EAP (PEAP)
>>>-I left off Authenticate as computer
>>>-I left off Authenticate as guest
>>>
>>>
>>>In the peap properties tabe.
>>>-I left off validate server certficate - I assume not required for 
>>>EAP-PEAP?  Is this my problem?
>>>-I selected EAP-MSCHAPV2 as authentication method.
>>>
>>>In the EAP-MSCHAPV2 properities I left off the use Windows userid, 
>>>password and domain.
>>>
>>>Can someone comment confirm this setup should work?
>>>
>>>
>>>
>>>Thanks in advance.
>>>
>>>John McFadden
>>>
>>>
>>>
>>>
>>>===
>>>Archive at http://www.open.com.au/archives/radiator/
>>>Announcements on radiator-announce at open.com.au
>>>To unsubscribe, email 'majordomo at open.com.au' with
>>>'unsubscribe radiator' in the body of the message.
>>>
>>>      
>>>
>>===
>>Archive at http://www.open.com.au/archives/radiator/
>>Announcements on radiator-announce at open.com.au
>>To unsubscribe, email 'majordomo at open.com.au' with
>>'unsubscribe radiator' in the body of the message.
>>
>>    
>>
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.
>
>  
>

-- 
************************************************************************
Denis Pavani

CINECA    -    Comunicazioni e Sistemi Distribuiti
NOC - Network Operation Center

phone:+39 0516171953 / fax:+39 0516132198
http://www.cineca.it
************************************************************************
 "Siamo pagati per adattarci, improvvisare e raggiungere lo scopo"
  -- Gunny Highway 



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list