windows users having trouble authenticating

classic Classic list List threaded Threaded
16 messages Options
| Threaded
Open this post in threaded view
|

windows users having trouble authenticating

Sallee, Stephen (Jake)
I have a working FreeRADIUS server that will authenticate linux clients
happily, however my windows clients are unable to authenticate.  Here is
a snippet

--------------------------------------------------
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
    TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [test1@umhb] (from client Sanderford port 129 cli
00-17-C4-F0-75-C8)
Using Post-Auth-Type Reject
--------------------------------------------------

As you can see the problem seems to lie in the TLS section, but I have
followed all the HOWTOs I can find on installing and configuring the
server cert.  but to no avail.  How do I tell the FreeRADIUS box to
trust its own certificate?  The cert was generated and signed on the
FreeRADIUS box.

Also as a side note, the linux users are able to authenticate by typing
in domain\username, but doing this on a windows box shows very strange
things in the radius log, and fails to authenticate.  Is there a way to
make both operating systems behave the same?  Otherwise my windows
clients must use the username@domain convention, once I get that working
:)



Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: windows users having trouble authenticating

Alan DeKok-2
Sallee, Stephen (Jake) wrote:
> I have a working FreeRADIUS server that will authenticate linux clients
> happily, however my windows clients are unable to authenticate.  Here is
..
> [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
>     TLS_accept:failed in SSLv3 read client certificate A

  The supplicant is sending a certificate that the server doesn't recognize.

> As you can see the problem seems to lie in the TLS section, but I have
> followed all the HOWTOs I can find on installing and configuring the
> server cert.  but to no avail.  How do I tell the FreeRADIUS box to
> trust its own certificate?  The cert was generated and signed on the
> FreeRADIUS box.

  It's not a problem with FreeRADIUS.  It's a problem with the
supplicant. (i.e. Windows box)

> Also as a side note, the linux users are able to authenticate by typing
> in domain\username, but doing this on a windows box shows very strange
> things in the radius log, and fails to authenticate.  Is there a way to
> make both operating systems behave the same?  Otherwise my windows
> clients must use the username@domain convention, once I get that working

  What "strange things" show up in the log?  Is it a secret?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: windows users having trouble authenticating

Sallee, Stephen (Jake)
Alan:

>  The supplicant is sending a certificate that the server doesn't
recognize.
        I have turned off everything I can find on the windows box about
verifying certs and the like but still no joy.  Is there a way to tell
the FreeRADIUS box to accept the cert?

>  What "strange things" show up in the log?  Is it a secret?
        No, no secrets just the following weirdness:
-------------------------------------
rad_recv: Access-Request packet from host 10.11.30.5 port 32853, id=253,
length=164
        User-Name = "umhb\\test1"
        NAS-IP-Address = 10.11.30.5
        NAS-Port = 641
        Called-Station-Id = "00-0F-7D-09-73-20:Temp"
        Calling-Station-Id = "00-17-C4-F0-75-C8"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 1Mbps/36Mbps 802.11g"
        EAP-Message = 0x0200000f01756d68625c7465737431
        Message-Authenticator = 0x149047682e6d36b8bc634cfa08e39088
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = 00-17-C4-F0-75-C8
rlm_perl: Added pair Called-Station-Id = 00-0F-7D-09-73-20:Temp
rlm_perl: Added pair Message-Authenticator =
0x149047682e6d36b8bc634cfa08e39088
rlm_perl: Added pair User-Name = umhb\\test1
rlm_perl: Added pair EAP-Message = 0x0200000f01756d68625c7465737431
rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/36Mbps 802.11g
rlm_perl: Added pair NAS-IP-Address = 10.11.30.5
rlm_perl: Added pair NAS-Port = 641
rlm_perl: Added pair Framed-MTU = 1400
++[perl] returns ok
[suffix] No '@' in User-Name = "umhb\   est11", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [umhb\\\test1] (from client Sanderford port 641 cli
00-17-C4-F0-75-C8)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> umhb\   est11
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 56 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 56
Sending Access-Reject of id 253 to 10.11.30.5 port 32853
Waking up in 4.9 seconds.
Cleaning up request 56 ID 253 with timestamp +14627
-------------------------------------


The user (me) types in umhb\test1, but for some reason the server sees
umhb\\test1 which gets expanded into umhb\   est11.  There is even a
umhb\\\test1 in there! I know this has got to be a MS thing as it works
perfectly with Linux .. probably mac too as they are linux based.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: windows users having trouble authenticating

A.L.M.Buxey
hi,

wierd output due to special character.... \t, \r , \n all did
similar things in the output (latest version has fixed for this).

issue with windows is to do with certs etc.  you need to configure
the supplicant to use PEAP, not to use the windows login, if
you havent sorted out certs, then you need to not check any radius
server ot tick anything..and not have the 'do not prompt for
new certs' etc unticked.  best to put the CA that the RADIUS server
was signed with onto the host  (in trusted CA local root store).

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: windows users having trouble authenticating

Sallee, Stephen (Jake)
Thanks for the info, I have the client setup the way you suggest, in Win
7 almost everything you said were defaults.  However I still get the
unknown CA problem.  Does anyone know how I can tell the FreeRADIUS
server to accept the client cert automatically?  

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-----Original Message-----
From: freeradius-users-bounces+jake.sallee=[hidden email]
[mailto:freeradius-users-bounces+jake.sallee=[hidden email]
rg] On Behalf Of Alan Buxey
Sent: Monday, August 02, 2010 5:59 PM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

hi,

wierd output due to special character.... \t, \r , \n all did similar
things in the output (latest version has fixed for this).

issue with windows is to do with certs etc.  you need to configure the
supplicant to use PEAP, not to use the windows login, if you havent
sorted out certs, then you need to not check any radius server ot tick
anything..and not have the 'do not prompt for new certs' etc unticked.
best to put the CA that the RADIUS server was signed with onto the host
(in trusted CA local root store).

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: windows users having trouble authenticating

Sallee, Stephen (Jake)
I am still getting this error in my debug output:

rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca

I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy!

PLEASE someone tell me how to make FreeRADIUS automatically accept the
client cert.  I have about 2 thousand clients that are not owned by my
university, I cannot install the server cert on all of them, the
logistics are too much.  PLEASE HELP!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-----Original Message-----
From: freeradius-users-bounces+jake.sallee=[hidden email]
[mailto:freeradius-users-bounces+jake.sallee=[hidden email]
rg] On Behalf Of Sallee, Stephen (Jake)
Sent: Monday, August 02, 2010 7:07 PM
To: FreeRadius users mailing list
Subject: RE: windows users having trouble authenticating

Thanks for the info, I have the client setup the way you suggest, in Win
7 almost everything you said were defaults.  However I still get the
unknown CA problem.  Does anyone know how I can tell the FreeRADIUS
server to accept the client cert automatically?  

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-----Original Message-----
From: freeradius-users-bounces+jake.sallee=[hidden email]
[mailto:freeradius-users-bounces+jake.sallee=[hidden email]
rg] On Behalf Of Alan Buxey
Sent: Monday, August 02, 2010 5:59 PM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

hi,

wierd output due to special character.... \t, \r , \n all did similar
things in the output (latest version has fixed for this).

issue with windows is to do with certs etc.  you need to configure the
supplicant to use PEAP, not to use the windows login, if you havent
sorted out certs, then you need to not check any radius server ot tick
anything..and not have the 'do not prompt for new certs' etc unticked.
best to put the CA that the RADIUS server was signed with onto the host
(in trusted CA local root store).

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: windows users having trouble authenticating

Alan DeKok-2
Sallee, Stephen (Jake) wrote:
> I am still getting this error in my debug output:
>
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca
>
> I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy!

  No amount of upgrading FreeRADIUS will make it work.

  This message comes because (a) the supplicant has a client certificate
issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling
FreeRADIUS that the servers CA is unknown to the client.

> PLEASE someone tell me how to make FreeRADIUS automatically accept the
> client cert.

  PEAP doesn't work like that.  If you issued client certs, then
FreeRADIUS *MUST* be configured to know about the CA.

>  I have about 2 thousand clients that are not owned by my
> university, I cannot install the server cert on all of them, the
> logistics are too much.  PLEASE HELP!

  We're trying.  We're asking you to listen to our responses.

  PEAP (or any TLS based EAP method) *cannot* do what you ask.  It's
impossible, and it was designed to be impossible by the people who
created the cryptography algorithms.

  If you want to have it work, then (a) configure FreeRADIUS to know
about the CA that issued the client cert, or (b) put the FreeRADIUS
cert/CA on a web site, for the clients to download themselves.

  I understand what you want, but please understand that there are
limitations to the protocols *independent* of FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: windows users having trouble authenticating

Sallee, Stephen (Jake)
Alan:

Thank you for your response, I think I finally know what is going on.  I
need to get a real cert from my FreeRADIUS Server, any sugestions about
which vendor, IE Verisign vs thawte vs ?

I was under the impression that the clients was sending a cert to the
server and the server was rejecting it, instead it seems that the
clients are rejecting the server.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-----Original Message-----
From: freeradius-users-bounces+jake.sallee=[hidden email]
[mailto:freeradius-users-bounces+jake.sallee=[hidden email]
rg] On Behalf Of Alan DeKok
Sent: Tuesday, August 03, 2010 1:47 AM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

Sallee, Stephen (Jake) wrote:
> I am still getting this error in my debug output:
>
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca
>
> I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy!

  No amount of upgrading FreeRADIUS will make it work.

  This message comes because (a) the supplicant has a client certificate
issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling
FreeRADIUS that the servers CA is unknown to the client.

> PLEASE someone tell me how to make FreeRADIUS automatically accept the

> client cert.

  PEAP doesn't work like that.  If you issued client certs, then
FreeRADIUS *MUST* be configured to know about the CA.

>  I have about 2 thousand clients that are not owned by my university,
> I cannot install the server cert on all of them, the logistics are too

> much.  PLEASE HELP!

  We're trying.  We're asking you to listen to our responses.

  PEAP (or any TLS based EAP method) *cannot* do what you ask.  It's
impossible, and it was designed to be impossible by the people who
created the cryptography algorithms.

  If you want to have it work, then (a) configure FreeRADIUS to know
about the CA that issued the client cert, or (b) put the FreeRADIUS
cert/CA on a web site, for the clients to download themselves.

  I understand what you want, but please understand that there are
limitations to the protocols *independent* of FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: windows users having trouble authenticating

Alan DeKok-2
Sallee, Stephen (Jake) wrote:
> Thank you for your response, I think I finally know what is going on.  I
> need to get a real cert from my FreeRADIUS Server, any sugestions about
> which vendor, IE Verisign vs thawte vs ?

  Nope.

> I was under the impression that the clients was sending a cert to the
> server and the server was rejecting it, instead it seems that the
> clients are rejecting the server.

  Using a known root CA for RADIUS authentication isn't really
recommended.  But if it solves the problem...

  And you'll need to make sure that the cert you get has the correct
OIDs in it. See eap.conf.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: windows users having trouble authenticating

John Dennis
On 08/03/2010 01:30 PM, Alan DeKok wrote:
> Using a known root CA for RADIUS authentication isn't really
> recommended.

Why?

P.S. just to clarify, it's not "using a known root CA for
RADIUS authentication", rather it's using a server cert signed by a
known root CA.
--
John Dennis <[hidden email]>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: windows users having trouble authenticating

Alan DeKok-2
John Dennis wrote:
> On 08/03/2010 01:30 PM, Alan DeKok wrote:
>> Using a known root CA for RADIUS authentication isn't really
>> recommended.
>
> Why?
>
> P.S. just to clarify, it's not "using a known root CA for
> RADIUS authentication", rather it's using a server cert signed by a
> known root CA.

  Sure.

  It's because *anyone* can set up an AP, and a RADIUS server that your
PC will accept.  If the AP has the same SSID as (say) your work, it will
happily send your work username && login via EAP to the rogue AP.

  The various EAP methods *should* have tied usernames (i.e. domains) to
a field in the certificate.  e.g. a cert with CN "[hidden email]"
should be sent logins for "[hidden email]", but NEVER sent logins for
"[hidden email]"

  You should ONLY send your login credentials when you *know* who it is
on the other end of the EAP conversation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: windows users having trouble authenticating

Sallee, Stephen (Jake)
>  The various EAP methods *should* have tied usernames (i.e. domains)
to a field in the certificate.  e.g. a cert with CN "[hidden email]"
>  should be sent logins for "[hidden email]", but NEVER sent logins
for "[hidden email]"

How does this workout with child domains?  For example: I have two
domains 1) umhb.edu and 2) Cru.umhb.edu.  "Cru" is a child of
"umhb.edu", if I get a single cert for FreeRADIUS.umhb.edu will it be ok
for authenticating users on both umhb.edu AND Cru.umhb.edu?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-----Original Message-----
From: freeradius-users-bounces+jake.sallee=[hidden email]
[mailto:freeradius-users-bounces+jake.sallee=[hidden email]
rg] On Behalf Of Alan DeKok
Sent: Tuesday, August 03, 2010 1:13 PM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

John Dennis wrote:
> On 08/03/2010 01:30 PM, Alan DeKok wrote:
>> Using a known root CA for RADIUS authentication isn't really
>> recommended.
>
> Why?
>
> P.S. just to clarify, it's not "using a known root CA for RADIUS
> authentication", rather it's using a server cert signed by a known
> root CA.

  Sure.

  It's because *anyone* can set up an AP, and a RADIUS server that your
PC will accept.  If the AP has the same SSID as (say) your work, it will
happily send your work username && login via EAP to the rogue AP.

  The various EAP methods *should* have tied usernames (i.e. domains) to
a field in the certificate.  e.g. a cert with CN "[hidden email]"
should be sent logins for "[hidden email]", but NEVER sent logins for
"[hidden email]"

  You should ONLY send your login credentials when you *know* who it is
on the other end of the EAP conversation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: windows users having trouble authenticating

Alan DeKok-2
Sallee, Stephen (Jake) wrote:
>>  The various EAP methods *should* have tied usernames (i.e. domains)
> to a field in the certificate.  e.g. a cert with CN "[hidden email]"
>>  should be sent logins for "[hidden email]", but NEVER sent logins
> for "[hidden email]"
>
> How does this workout with child domains?  For example: I have two
> domains 1) umhb.edu and 2) Cru.umhb.edu.  "Cru" is a child of
> "umhb.edu", if I get a single cert for FreeRADIUS.umhb.edu will it be ok
> for authenticating users on both umhb.edu AND Cru.umhb.edu?

  I said it SHOULD have been that way.  It doesn't work that way now.

  There is NO tying of certificate CNs to user names.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: windows users having trouble authenticating

David Mitchell-8
Alan DeKok wrote:

> Sallee, Stephen (Jake) wrote:
>>>  The various EAP methods *should* have tied usernames (i.e. domains)
>> to a field in the certificate.  e.g. a cert with CN "[hidden email]"
>>>  should be sent logins for "[hidden email]", but NEVER sent logins
>> for "[hidden email]"
>>
>> How does this workout with child domains?  For example: I have two
>> domains 1) umhb.edu and 2) Cru.umhb.edu.  "Cru" is a child of
>> "umhb.edu", if I get a single cert for FreeRADIUS.umhb.edu will it be ok
>> for authenticating users on both umhb.edu AND Cru.umhb.edu?
>
>   I said it SHOULD have been that way.  It doesn't work that way now.
>
>   There is NO tying of certificate CNs to user names.

We should probably expand on that. With respect to the server's
certificate, there is nothing tying it to anything on any client I've
tested. The server's certificate is presented and you are allowed to
accept it. If it isn't signed by a trusted authority you may have to
click some additional warnings.

FreeRadius can of course compare the client certs CN to the username for
what it's worth. On most platforms, the user can put whatever they want
for the username though. Or on XP, it gets auto-filled with the value of
the CN from the clients certificate. So that particular check is of
dubious value.

With respect to Jake's question, I'm not sure if he's talking about the
server certificate or the client certificate. Strictly speaking, server
certificates are not really tied to a domain or DNS entry with EAP. I
don't think the client ever actually sees the true IP address of the
radius server or it's domain name. The NAS does (or might), but from the
client to the Radius server it's all encapsulated and strictly speaking
isn't IP traffic at all. You can use the server cert wherever you want,
no matter what DNS name is on it. As long as you can get the users to
click OK when they are presented with it, it will be fine.

-David Mitchell



--
-----------------------------------------------------------------
| David Mitchell ([hidden email])       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: windows users having trouble authenticating

David Mitchell-8
In reply to this post by Alan DeKok-2
Alan DeKok wrote:

> John Dennis wrote:
>> On 08/03/2010 01:30 PM, Alan DeKok wrote:
>>> Using a known root CA for RADIUS authentication isn't really
>>> recommended.
>> Why?
>>
>> P.S. just to clarify, it's not "using a known root CA for
>> RADIUS authentication", rather it's using a server cert signed by a
>> known root CA.
>
>   Sure.
>
>   It's because *anyone* can set up an AP, and a RADIUS server that your
> PC will accept.  If the AP has the same SSID as (say) your work, it will
> happily send your work username && login via EAP to the rogue AP.

The level of risk here varies depending on the EAP method. If you are
using EAP-TLS, the server only gets a copy of the certificate so there
is no risk of him stealing your credentials. With EAP-PEAP/MSCHAPv2 I
believe the attacker can get enough information to perform a dictionary
attack against your password which depending on it's strength may or may
not be a problem (I'm not certain about this one if somebody else wants
to chime in). And then there is EAP-TTLS where the rogue server will end
up with a cleartext copy of the username and password if the user can be
tricked into accepting the servers certificate.


>   The various EAP methods *should* have tied usernames (i.e. domains) to
> a field in the certificate.  e.g. a cert with CN "[hidden email]"
> should be sent logins for "[hidden email]", but NEVER sent logins for
> "[hidden email]"
>
>   You should ONLY send your login credentials when you *know* who it is
> on the other end of the EAP conversation.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
-----------------------------------------------------------------
| David Mitchell ([hidden email])       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: windows users having trouble authenticating

Sallee, Stephen (Jake)
AMZAING!  Alan and John, you guys are on my Christmas card list now!  I
had my default eap type set to mschap and was never getting prompted to
accept the server cert, john, you mentioned the mschap vs TLS and it hit
me, set eap to TLS and VOILA, the client is prompted to accept the cert
EXACTLY as we intended.  Thanks a bundle!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html