RADIUS/PEAP not working when NAT is enabled?
(Moving this thread to the right forum - my mistake for posting in the wrong place!)
Setup: Airport Extreme firmware 5.6, Windows Admin Utility 5.2
Airport's WAN port connected to an internal network with Windows 2003 IAS RADIUS server; Airport's LAN port disconnected.
Windows XP client (using Microsoft zero-configuration client)
client and server set up to use PEAP authentication
If I set up the Airport in bridge mode (uncheck the "Distribute IP Addresses" box in the Network setup tab), the client can authenticate correctly and can obtain an IP address from a DHCP server on my internal network.
If I check the "Distribute IP Addresses" box, select "Share a single address with DHCP & NAT" and the 192.168.1.1/24 address range, the client can no longer authenticate. I haven't changed anything else on either the Airport or the RADIUS server.
Network traces taken on the wired (WAN) and wireless side of the Airport show that the first few exchanges of the EAP handshake go through fine, but the server's reply to the client's "TLS Hello" message are being blocked by the Airport. Up to that point, I don't see any significant difference between the exchanges with NAT enabled or disabled; it's just that the Airport passes the server's message to the client correctly when NAT is off and blocks it when NAT is on.
Setup: Airport Extreme firmware 5.6, Windows Admin Utility 5.2
Airport's WAN port connected to an internal network with Windows 2003 IAS RADIUS server; Airport's LAN port disconnected.
Windows XP client (using Microsoft zero-configuration client)
client and server set up to use PEAP authentication
If I set up the Airport in bridge mode (uncheck the "Distribute IP Addresses" box in the Network setup tab), the client can authenticate correctly and can obtain an IP address from a DHCP server on my internal network.
If I check the "Distribute IP Addresses" box, select "Share a single address with DHCP & NAT" and the 192.168.1.1/24 address range, the client can no longer authenticate. I haven't changed anything else on either the Airport or the RADIUS server.
Network traces taken on the wired (WAN) and wireless side of the Airport show that the first few exchanges of the EAP handshake go through fine, but the server's reply to the client's "TLS Hello" message are being blocked by the Airport. Up to that point, I don't see any significant difference between the exchanges with NAT enabled or disabled; it's just that the Airport passes the server's message to the client correctly when NAT is off and blocks it when NAT is on.
Airport Extreme, Windows XP