Re: RADIUS backend and Win2003 Server with specific pathch don't work Was: Error searching on specific ssid

[Jirka Klimes <jklimes redhat com>]

On Thursday 06 of May 2010 14:23:52 Bjorge Solli wrote:
> Info: www.eduroam.org, www.eduroam.no
> Setup: we have two Win2k3 servers as authenticators for our two domains
> (students and staff) and one had this patch and the other didn't:
> http://support.microsoft.com/kb/948963
> The domain with the patch failed to authenticate and removing the patch
> solved the problem.
> The patch adds " TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and the
> TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA AES".
> This patch is backported from Win Server 2008..
> 

Thanks for the info. It's good to know that it works without the hotfix on 
Windows.
In that case, RC4-based cipher is probably used. Nevertheless, it is ironic 
that with the hotfix the negotiation is not successful, because it's meant to 
improve cooperation with OpenSSL.

> Our problem is solved for now, but maybe someone should try to solve the
> underlying problem? I have attached the wpa_supplicant log of a failing
> connection.
> 

I don't know what the actual problem is, but TLS/SSL handshake was not 
successful.
If you have a chance to capture packets with Wireshark (or something) in not- 
working case, it would help to identify issues in SSL handshake.

BTW, what distributions do you use?
What are the versions of NM, wpa_supplicant and OpenSSL? Searching a bit on 
the problem, there could be a bug in older versions of wpa_supplicant.

> Please cc to me on replies as I don't read the list every day.
> 
> On 27/04/10 13:30, Jirka Klimes wrote:
> > You can follow instructions in section "Debugging WiFi Connections" on
> > http://live.gnome.org/NetworkManager/Debugging
> 
> Thanks!
> 
> - Bjørge

Jirka