I have deployed a Wi-Fi network with WPA2 protocol set, and authentication with RADIUS server (FreeRADIUS 1.1.3), both "users" file and Active Directory. Everything is working fine for all kind of clients: GNU/Linux, Mac OS X, Windows XP (Professional), etc. It also works fine for users listed in "users" file and users belonging Active Directory.
Everyone but users that try to get access to Wi-Fi network with a Windows Vista (Home Premium, if this detail is important) operating system. There is no way they can connect to the network.
I have been capturing traffic and recording logging information from RADIUS server. In both cases I have realized that for a working client there is a series of RADIUS "Access Request" and "Access Challenge" between NAS and RADIUS server, 7 pairs, before an "Access Acept" is issued. But when a Windows Vista (Home Premium) appears in scene, there is just 4 pairs and then.... nothing more.
I have not had the chance to try with a Windows Vista Business.
I had found this link while searching for an answer before writing this post:
formatting link
Is it possible this issue be a Windows Vista (Home Premium) pitfall ?. Anybody has heard about it before ?. I am driving crazy with this problem.
If anybody needs additional information do not hesitate in asking me.
Nice description. Too bad the problem is related to your undisclosed maker and model wireless access point or wireless router.
Just one question... do the Vista Victims get a successfully assigned DHCP address from whatever unspecifed device is delivering the IP addresses? If not, be advised the Vista has a new and improved method of dealing with DHCP. I covered this in a previous posting at:
Also see:
Since the above is 18 months old, it's possible that Microsoft has allocated a few spare CPU cycles to fixing these and other Vista problems, instead of doing damage control with Windoze 7. I'm too lazy to check.
Otherwise, if these Vista boxes are properly obtaining a correct DHCP assigned IP address, then the culprit is probably elsewhere. Vista can generate copious log files showing connection attempts and failures. To enable tracing (logging), see:
With Vista, the log files are dumped into: C:\\windowstracingwireless\\
Try to figure out at which point the Vista wireless client is failing. Don't be suprised if it fails in the middle of negotiating the encryption key. If so, temporarily change your unspecified access point from TKIP to AES encryption (or the other way around, and see if it helps).
Access points are Motorola AP-5181 and Motorola WS-2000 wireless switch (with AP-300 access ports). DHCP server is Windows 2003 Server.
If association procedure is not completed, I guess there is no reason to talk about DHCP issues yet, isn't it ?.
I will try enable wireless tracing to see if I can figure out anything and I will try to change AES encryption to TKIP, although this would work, it would not be a success solution..
I have been analyzing traces from FreeRADIUS server, both a succesful handshake with a HP laptop with Intel 3945ABG chipset running Windows XP Professional and a failure handshake with a Sony laptop with Intel
3945ABG chipset running Windows Vista Home Premium. After comparing side by side both traces I have realized that both handshakes are quite similar until the end of 4th request/response pair.
At this point, Windows XP box goes on with 5th request, but Windows Vista box does not.
It does not seem that my undisclosed maker and model access point has anything to do with this, specially when my undisclosed maker and model access point seems to work fine with Windows XP, GNU/Linux and Mac OS X
10.5 boxes.
I don't talk anything about DHCP because at this point it makes no sense. Of course, every box that validates successfully gets a valid IP address from the DHCP server that runs in a Windows 2003 Server.
Are you using Vista's Wireless Zero Config or Intel Proset? They're quite different. Intel was having some problems with the 3945ABG chipset and has released several updates:
The current version is Proset 12.4.0.0 issued April 4, 2009.
Hmmm.... this is interesting.
Under "known issues" in the release notes: To enable AES for Personal Security, select WPA-Personal (AES-CCMP) or WPA2-Personal (AES-CCMP) in the Security Settings pulldown menu. To enable AES for Enterprise Security, select AES-CCMP in the Data Encryption pulldown menu. Looks like it needs AES-CCMP selected to work with RADIUS.
Any clue what the 5th exchange is doing? My guess is that it would be trying to deliver a one-time encryption key to the client. I have to dig into the FreeRADIUS source to figure that out, which is going to burn far more time than I wanna spend on this.
Assumption, the mother of all screwups. The access point is responsible for processing quite a bit of data between the client and the RADIUS server. For example, WPA-RADIUS requests a unique encryption key from FreeRADIUS server, which is delivered to both the access point and client. Also, quiet a few of the parameters returned by the DHCP server are for both the client and the access point, such as DHCP lease time. You can't eliminate the AP as a possible culprit quite yet. However, you are on the right track using process of elimination. When everything else works, that which remains, no matter how improbable, it the likely culprit, especially if it's Microsoft. (Appologies to Sherlock Holmes).
I was asking if the Vista box(s) that are failing are getting valid IP addresses. That give me a clue to what point during the negotiations that things are failing. ipconfig.
You might want to try setting up a 2nd SSID in your Symbol WS-2000 wireless switch just for Vista. That will give you some flexibility in testing out various wireless combinations, without affecting the other users. Try WPA-TKIP-RADIUS, WPA2-TKIP-RADIUS, WPA2-AES-RADIUS and the myriad of authentication protocols that are allegedly supported. Hmmm... which EAP protocol are you using? Heavy reading:
Also, humor me and try the Vista broadcast flag tweak:
It might be that the 5th exchange is the DHCP request, which is failing because the client "forgot" to request an IP address and is instead waiting for a broacast.
I was using Vista's Wireless Zero Config, so I followed you advice and I installed (and upgraded Intel driver) Intel Proset. There is no difference. The problem remains.
I had no time to peek insight the handshake, altough I have a copy of the FreeRADIUS log.
Before we can know what is happening between 4th and 5th request, and after reading FreeRADIUS log, it seems that after 4th FreeRADIUS' response there is no 5th Vista's request nor Vista's error message, in fact, there is nothing. Althogh I have to look inside that handshake in days to come.
I am using EAP PEAPv0/MS-CHAPv2, with all clients, including Vista.
I have been trying with WPA/WPA2 TKIP/CCMP (make the cartesian table) and I can't associate Vista Home Premium client to the network.
Have a nice day, and many thanks for answering me.
Weird. I think (not sure) that the 802.1x stuff is in the Intel driver. If the Vista version were busted, I would expect replacing it with the Intel Proset version should have fixed it. Weird.
Yeah, but what's needed it knowing what the various requests are doing so I can guess which part of the puzzle is failing. The Vista wireless log files should show more detail than the RADIUS log file. If the FreeRADIUS log files don't show anything, then use a log mechanism that does (Syslog?).
Ok, that's fairly standard and should work. However, watch out for a mutation as described in:
"Microsoft supports another form of PEAPv0 which they call PEAP-EAP-TLS, one that Cisco and other third-party server and client software don?t support. etc..."
Suggestion, temporarily replace the Symbol WS-2000 wireless switch with an ordinary wireless router. Make sure the firmware is up to date. Add it's MAC address to the RADIUS server config so that it can be used to authenticate. Point the router to the RADIUS server and set it for very generic WPA-TKIP-RADIUS. See if it works. If it does, escallate to WPA2-AES-RADIUS. This is called troubleshooting by substitution. If it works, then the problem is *NOT* the FreeRADIUS server.
Also, you've skipped a few of my suggestions. Try the Vista fixes for DHCP broadcast. It probably won't do anything but it eliminates one possibility, especially since neither of us are sure at what point the handshake failure is ocurring. It's also the only difference I can think of between and XP client and a Vista client.
A quick search came across this:- "FR 1.1.6, 1.1.7 and 2.0.0/2.0.1 work fine with vista (without any special non windows-update KBs installed)"
Has he tried a later version of Free Radius. He should probably be thinking about it as support for his version has ceased. "As of January 2008, the version 1.1.x releases are no longer actively maintained. Version 1.1.7 was the last release in that cycle. We recommend that everyone using Version 1.1.7 (or any earlier version) upgrade to the latest 2.x release as soon as possible."
thanks for answering. I am using FreeRADIUS 1.1.3, the version (hacked in order to use EAP PEAP) that comes with Debian Etch. I will try to upgrade to a recent version.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.