Common EAP Problems and their Solutions

When an EAP method such as PEAP or TTLS does not work, there are only a few things that can go wrong.

Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying Cleaning up request .... After that, nothing more happens.

Diagnosis: The client does not like the server certificate.

Solution: On a testing system, un-check Validate Server Certificate as noted in the EAP page.

Solution: On a production system, ensure that the client has been configured with the certificates from the proper Certificate Authority and Server certificate, as noted in the EAP page.

Solution: On a production system, ensure that the client has Server certificate has the proper Windows OID's.

Problem: The server sends an Access-Reject.

Diagnosis: The password entered on the client does not match the "known good" password that the server has.

Solution: Double-check that the passwords are the same. Use the simplest possible configuration to do this.

Problem: The Windows client (XP or Vista) still won't connect.

Diagnosis: If none of the above fixes work, and you still see the Access-Challenge sent... and then nothing, the problem is some kind of Windows magic.

Solution: Enable EAPHost Tracing.

To enable tracing, run the following commands from a privileged command prompt (i.e. as Administrator):

netsh wlan set tra yes
netsh ras set tr * en

After the problem has been reproduces (using one login attempt), tracing can be disabled by:

netsh ras set tr * dis
netsh wlan set tra no

The output files (*.etl) will be in the %2Ewindir%2E\tracing\wireless\ directory, usually in various subdirectories. The .etl files can be converted to .txt files via the following command:

tracerpt *.*

The final files can put put on a web page, and questions posted to the freeradius-users list.