Common EAP Problems and their Solutions
When an EAP method such as PEAP or TTLS does not work, there are only a few things that can go wrong.
Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying Cleaning up request .... After that, nothing more happens.
Diagnosis: The client does not like the server certificate.
Solution: On a testing system, un-check Validate Server Certificate as noted in the EAP page.
Solution: On a production system, ensure that the client has been configured with the certificates from the proper Certificate Authority and Server certificate, as noted in the EAP page.
Solution: On a production system, ensure that the client has Server certificate has the proper Windows OID's.
Problem: The server sends an Access-Reject.
Diagnosis: The password entered on the client does not match the "known good" password that the server has.
Solution: Double-check that the passwords are the same. Use the simplest possible configuration to do this.
Problem: The Windows client (XP or Vista) still won't connect.
Diagnosis: If none of the above fixes work, and you still see the Access-Challenge sent... and then nothing, the problem is some kind of Windows magic.
Solution: Enable EAPHost Tracing.
To enable tracing, run the following commands from a privileged command prompt (i.e. as Administrator):
netsh ras set tr * en
After the problem has been reproduces (using one login attempt), tracing can be disabled by:
netsh wlan set tra no
The output files (*.etl) will be in the %2Ewindir%2E\tracing\wireless\ directory, usually in various subdirectories. The .etl files can be converted to .txt files via the following command:
The final files can put put on a web page, and questions posted to the freeradius-users list.