Radius authentication fails for Windows clients

I've setup radius authentication on my Meraki MR16 running OpenWRT 18.06. This is working fine for iPhone & Android clients, but Windows clients are refusing to connect. If you attempt to connect the client requests a username & password, you enter something and it thinks briefly and states "Unable to connect to this network"

A bit of googling suggests it may have something to do with cipher, but I've tried all the options available - auto, force TKIP, force AES and force both, but none have made it work.

edit I've just reviewed the logs and see the failure with the following;

IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)

Any suggestions gratefully received, I'm trying to get this one working correctly as I've hung my hopes on being able to use the redundant ones I have lying about to deliver WiFi.

Many thanks

PEAP-MSCHAPv2 should be used for Windows clients.

By default Windows uses the user's Windows username and password. If instead you have separate wifi credentials you have to manually configure Windows to use those. I've forgotten exactly how, but in typical Windows fashion it involves clicking through several dialogs that are not obvious.

Also if WIndows doesn't like your certificate (and it probably won't, unless you've manually installed the CA on the Windows machine) it will silently fail. You can tell Windows not to validate the certificate, but that is very insecure.

1 Like

Thanks for this. We're using the Windows Active Directory server to provide radius, so the windows username and password are the right credentials. Certificates however sounds as if it's probably the issue. I'm replacing a genuine Meraki based system that was working, might there be a way I can use the same certificate that was using? Or does it actually come from the radius server itself?
Sorry for my lack of understanding. Thanks

HI all, sorry for the hiatus, but I've been away for a few weeks.
I am now 100% certain that the issue is to do with certificates, and it only affects Microsoft clients, any other OS authenticates without issue. We have a valid certificate, provide from a well known CA so it should be working, but doesn't seem to be.
I've been looking at the available packages and wondered if anyone knew whether installing hostapd-utils might give me any tools to help find the exact cause? And/or might I need hostapd-ssl for certificates? I've searched the forum and google and have not find anything of much value on either of those 2 topics.

Thanks in advance

The system is based on hostapd being primarily a dumb tunnel to the RADIUS server with end to end encryption by the endpoints to resist man-in-the-middle attack. So there isn't a lot of troubleshooting (or hacking) that can be done in the middle.