Monthly Archives: March 2007

Fun with freeradius and Vista

Well as some of you would know i have had to use Vista increasingly lately due to work and the fact that nobody really knows what they are doing with it yet.

Everything has been going alright with it i suppose, vista is sort of growing on me.

Well, there was one major issue for me (probably not for most people though) and that was trying to get WPA Enterprise encryption working, i tried everything to get it to go without any luck initially.

After many hours of plugging away at the vista machine and modifying settings on it and on the radius server i was tearing my hair out! it was 3AM and i had achieved nothing, and have seen many other people with problems due to vista’s implementation of 802.1x/WPA Enterprise.

I found that one thing stopping me was FreeRadius being out of date, turns out that Microsoft updated the MSCHAPv2 Standard and remained silent about it, and thus FreeRadius wouldn’t work – I was pretty pleased to read that! it would solve all my problems… or would it.

So i went on the journey of recompiling FreeRadius on my server, and it is a bastard to get working with OSX sometimes. Especially when it can’t find the MySQL Libraries….

Even after upgrading it didn’t work! AGH!!! i was tearing my hair out wondering where it was failing, the radius logs were more cryptic than anything mainly because it’s being handled by the EAP module :(

after a while i conceded that username/password PEAP challenges were not going to happen, so i moved on to certificates. I re-generated all my ssl certificates and distributed them to all the computers, and they all worked – except for the vista installation…

After much probing around i managed to get vista to take the CA cert and use it, but it still wouldn’t auth with it and the client cert, however i’d noticed that it had caused username/password challenges to work correctly – i had a poke around and looked at some MS Knowledgebase articles and it turns out that it was trying to verify the server identity via a certificate, a certificate that it previously didn’t have.

Regenerating the client cert ended up fixing that issue, but i wanted to be able to login with a username and password without needing to install the CA cert on the computer, turns out i have to untick “do not ask the user to verify new/unknown server certificates” or something like that along with “verify server cert before joining”

A Simple fix, i believe it is a combination of the vista issue and with Freeradius and that i was too tired to fix it on account of it being 3AM, however i hope that if anyone out there is having the same issue (my googling proves that there is indeed a lot of people with the same issue) that they will find this info so they don’t have to become an insomniac due to FreeRadius too.