Senandung Mendonan wrote: > Problem: EAP Fails (Doesn't even get to TLS negotiation). In both > cases, we get perpetual "Access-Challenge" messages sent by > FreeRADIUS, at a very early stage — even before / during the initial > TLS negotiation in EAP.
No... the NAS isn't seeing the response of the RADIUS server, so it re-sends the Access-Request, the server notices the duplicate request, and re-sends it's response. Since the NAS isn't seeing the response of the server, it doesn't see the duplicate response, either. So it starts over from scratch. i.e. RADIUS is driven by the NAS, not by the RADIUS server. Saying "perpetual Access-Challenge" means you're thinking that the server is somehow in charge of the conversation flow. It's not. If the server is sending perpetual Access-Challenges, it's because the client is sending perpetual Access-Requests, and ignoring the challenge responses. Since the same IOS version seems to work for someone else, the problem is local to you. Please see the FAQ for what to do when the NAS never sees the response from the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
