cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

593
Views
0
Helpful
2
Replies
Highlighted
Beginner

Why PEAP-MSCHAPV2 in WIN7 failed?

I'm trying to develop a 802.1x server soft like FreeRadius, it support PEAP-MSCHAPV2 authentication.

When I test this soft, TLS tunnel setup success, but authentication failed at MSCHCAPV2 part. Client PC(Win 7) respond MSCHAPV2 challenge response, and server soft check NT-Response success and send MSCHAPV2 success request to client.

But client don't respond with MSCHAPV2 success response, it seems client check authenticator response failed.

The function I developed to generate authenticator response GenerateAuthenticatorResponse() works right like RFC2759 9.2 Hash Example.

So I don't know why win7 client don't respond with MSCHAPV2 success response. Does Win7 PEAP-MSCHAPV2 implementation has some difference with RFC2759 ? 

Everyone's tags (1)
2 REPLIES 2
Beginner

Hi Chad,

Hi Chad,

Please find below KB, which resolved such issue:

https://support.microsoft.com/en-us/kb/2481614

Let me know in case you come across any issue.

Beginner

Hi karans, 

Hi karans, 

Thank you for your answer.But this hotfix doesn't work.

The soft I'm trying to develop is a local authentication module work in switch, so user can authenticate without Radius server. 

Client PC can authenticate with winserver 2008 and freeradius, but failed with this soft.

I found that in sucees authentication packet, FreeRadius sent mschapv2 success request's length in TLS record layer is 80 octes.

My soft sent mschapv2 success request's length in TLS record layer is 72 octes, and it's message field only contain S=<auth_string>.

If FreeRadius sent mschapv2 success request's message contains M=<message> part ? Or it's caused by different TLS cipher.