Hi karans,

Chad_Sun · ‎08-15-2016

I'm trying to develop a 802.1x server soft like FreeRadius, it support PEAP-MSCHAPV2 authentication.

When I test this soft, TLS tunnel setup success, but authentication failed at MSCHCAPV2 part. Client PC(Win 7) respond MSCHAPV2 challenge response, and server soft check NT-Response success and send MSCHAPV2 success request to client.

But client don't respond with MSCHAPV2 success response, it seems client check authenticator response failed.

The function I developed to generate authenticator response GenerateAuthenticatorResponse() works right like RFC2759 9.2 Hash Example.

So I don't know why win7 client don't respond with MSCHAPV2 success response. Does Win7 PEAP-MSCHAPV2 implementation has some difference with RFC2759 ?

karans · ‎08-15-2016

Hi Chad,

Please find below KB, which resolved such issue:

https://support.microsoft.com/en-us/kb/2481614

Let me know in case you come across any issue.

Chad_Sun · ‎08-15-2016

Hi karans,

Thank you for your answer.But this hotfix doesn't work.

The soft I'm trying to develop is a local authentication module work in switch, so user can authenticate without Radius server.

Client PC can authenticate with winserver 2008 and freeradius, but failed with this soft.

I found that in sucees authentication packet, FreeRadius sent mschapv2 success request's length in TLS record layer is 80 octes.

My soft sent mschapv2 success request's length in TLS record layer is 72 octes, and it's message field only contain S=<auth_string>.

If FreeRadius sent mschapv2 success request's message contains M=<message> part ? Or it's caused by different TLS cipher.

Why PEAP-MSCHAPV2 in WIN7 failed?