Foundry AP200 radio with client cert auth to win2003 AD using WPA2/PEAP

[Jouni Malinen]

On Wed, Jun 18, 2008 at 06:01:51AM -0700, John Oberlander wrote:

> Our company implemented a foundry networks wireless solution with 5 ap200's and foundry wireless roaming controller. When trying to auth, our ad says Im still trying to use eap instead of peap.? Below is my failed auth, and a good authenticated session.? Even though im using EAP=PEAP, the windows radius server still says im trying to use EAP.? Any help is appreciated.

EAP is the generic protocol that can be used with number of
authentication mechanisms, one of which is EAP-PEAP. The main
information in the log is that the specific EAP method could not be
selected for some reason; not that EAP was being used (since that is the
case even with PEAP).

> wpa supplicant.conf........
> 
> ctrl_interface=/var/run/wpa_supplicant
> 
> network={
> ??????? eap=PEAP
> ??????? phase2="auth=MSCHAPV2"

> ??????? identity="john********@green.*******"
> ??????? ca_cert="/etc/cert/********.pem"
> ??????? private_key="/etc/cert/********.pem"
> ??????? private_key_passwd="**********"

Are you really trying to use a private key and client certificate with
EAP-PEAP? If yes, you would need to add client_cert option here. If not,
I would suggest removing private_key and private_key_passwd since
EAP-PEAP with EAP-MSCHAPv2 does not normally use client certificate and
the client authenticates using a password. Please also note that if you
do not configure the password in the network block, you will need to
provide it during authentication, e.g., with wpa_cli for wpa_gui.

If this information is not enough to resolve the issue, please send me a
debug log from wpa_supplicant (with -dd on command line) showing the
failed authentication attempt.

-- 
Jouni Malinen                                            PGP id EFC895FA