Windows PAP not working, Android PAP does work

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Windows PAP not working, Android PAP does work

Mathias Maes
 Hello

Little background on my setup:
I made Freeradius connect to Google Secure LDAP, and I do some post
authentication (add a VLAN attribute to a response when a user belongs to a
certain group in Google)
Yesterday I generated new certificates to test a 'real' production setup.

Android: Installing cert, setting EAP-TTLS and PAP, username, password, et
voila, everything works, connected to the right VLAN. However, it takes
quite long (like over 5 seconds). The Freeradius log of the Android
connection is in attachment

But with Windows 10, installing server and ca certificates, setting up the
network to use EAP-TTLS PAP, trying to connect with username and password.
Windows simply shows a "Cannot connect to this network", the Freeradius log
is quite different, as I read it, it seems that Windows still tries to use
CHAP instead of PAP,

The Windows log is also in attachment.
These are my Windows settings: https://i.imgur.com/EFW1vja.png

I don't really know what's going on. I guess it's a Windows thing, or my
thinking is wrong and there is something wrong with my setup.

Thanks on any help or insights.

Met vriendelijke groet
Mathias Maes
ICT-Coördinator Maerlant Atheneum

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

log_windows.txt (83K) Download Attachment
log_android.txt (100K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Windows PAP not working, Android PAP does work

Alan DeKok-2
On Jun 23, 2020, at 4:57 AM, Mathias Maes <[hidden email]> wrote:

> Little background on my setup:
> I made Freeradius connect to Google Secure LDAP, and I do some post
> authentication (add a VLAN attribute to a response when a user belongs to a
> certain group in Google)
> Yesterday I generated new certificates to test a 'real' production setup.
>
> Android: Installing cert, setting EAP-TTLS and PAP, username, password, et
> voila, everything works, connected to the right VLAN. However, it takes
> quite long (like over 5 seconds). The Freeradius log of the Android
> connection is in attachment

  If it takes 5s to authenticate the user, then likely something is wrong on the Google side. i.e. the LDAP queries are taking a long time.

  This is one of the few situations where you can run "radiusd -Xx".  That gets you timestamps for each line that's logged.  Which tells you exactly what portion of the server is taking time.

> But with Windows 10, installing server and ca certificates, setting up the
> network to use EAP-TTLS PAP, trying to connect with username and password.

  Windows is using PEAP, not TTLS + PAP.

> Windows simply shows a "Cannot connect to this network", the Freeradius log
> is quite different, as I read it, it seems that Windows still tries to use
> CHAP instead of PAP,
>
> The Windows log is also in attachment.

  I would suggest attaching the actual logs, verbatim.  Redirect the "radiusd -X" output to a file if necessary.

  Whatever method you've used here has reformatted the output, and added tons of whitespace, which breaks long lines.  It's very unusual, and not necessary.

  I would also suggest READING the debug output you're posting.  If it doesn't contain references to TTLS, then it's pretty clear that Windows isn't using TTLS.

> These are my Windows settings: https://i.imgur.com/EFW1vja.png

  You have to configure Windows to use TTLS + PAP.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html