Re: RADIUS backend and Win2003 Server with specific pathch don't work Was: Error searching on specific ssid

From: Bjorge Solli <bjorge solli it uib no>
To: jklimes redhat com
Cc: Bjoern Tore Sund <bjorn sund it uib no>, networkmanager-list gnome org
Subject: Re: RADIUS backend and Win2003 Server with specific pathch don't work Was: Error searching on specific ssid
Date: Mon, 10 May 2010 15:30:51 +0200

Hi Jirka, thanks for your reply!

On 10/05/10 14:52, Jirka Klimes wrote:
> On Thursday 06 of May 2010 14:23:52 Bjorge Solli wrote:
>> Info: www.eduroam.org, www.eduroam.no
>> Setup: we have two Win2k3 servers as authenticators for our two domains
>> (students and staff) and one had this patch and the other didn't:
>> http://support.microsoft.com/kb/948963
>> The domain with the patch failed to authenticate and removing the patch
>> solved the problem.
>> The patch adds " TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and the
>> TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA AES".
>> This patch is backported from Win Server 2008..
>>
> 
> Thanks for the info. It's good to know that it works without the hotfix on 
> Windows.
> In that case, RC4-based cipher is probably used. Nevertheless, it is ironic 
> that with the hotfix the negotiation is not successful, because it's meant to 
> improve cooperation with OpenSSL.
> 
>> Our problem is solved for now, but maybe someone should try to solve the
>> underlying problem? I have attached the wpa_supplicant log of a failing
>> connection.
>>
> 
> I don't know what the actual problem is, but TLS/SSL handshake was not 
> successful.
> If you have a chance to capture packets with Wireshark (or something) in not- 
> working case, it would help to identify issues in SSL handshake.
> 
We did have that, but it was unfortunately deleted. We don't want to
break the system just to produce it again..

> BTW, what distributions do you use?

Fedora 12, tested on both 32-bit and 64-bit. Updated to latest in yum repos.

> What are the versions of NM, wpa_supplicant and OpenSSL? Searching a bit on 
> the problem, there could be a bug in older versions of wpa_supplicant.
> 

# rpm -qa | egrep -i '(wpa|networkmanager|openssl)'
openssl-1.0.0-0.13.beta4.fc12.i686
NetworkManager-glib-0.8.0-6.git20100408.fc12.x86_64
pyOpenSSL-0.9-1.fc12.x86_64
NetworkManager-openconnect-0.7.996-4.git20090921.fc12.x86_64
NetworkManager-pptp-0.7.997-3.git20100120.fc12.x86_64
openssl-1.0.0-0.13.beta4.fc12.x86_64
NetworkManager-gnome-0.8.0-6.git20100408.fc12.x86_64
wpa_supplicant-0.6.8-8.fc12.x86_64
NetworkManager-vpnc-0.7.996-4.git20090921.fc12.x86_64
NetworkManager-0.8.0-6.git20100408.fc12.x86_64
NetworkManager-openvpn-0.7.996-4.git20090923.fc12.x86_64

>> Please cc to me on replies as I don't read the list every day.
>>
>> On 27/04/10 13:30, Jirka Klimes wrote:
>>> You can follow instructions in section "Debugging WiFi Connections" on
>>> http://live.gnome.org/NetworkManager/Debugging
>>
>> Thanks!
>>

- Bjørge

-- 
Regards/Mvh, Bjørge Solli
Staff engineer/Overingeniør at Uni. Bergen, IT, Infrastruktur, Unix
Nygårdsgaten 5. Pb.7800, N-5020 Bergen, Norway. www.uib.no/it
(+47) Tlf: (555)82774 Mob: 91614343 Fax: (555)48299

References:
- RADIUS backend and Win2003 Server with specific pathch don't work Was: Error searching on specific ssid
  - From: Bjorge Solli
- Re: RADIUS backend and Win2003 Server with specific pathch don't work Was: Error searching on specific ssid
  - From: Jirka Klimes

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]