Norbert Wegener wrote: > freeradius now sends a Message-Authenticator with value 0x00: ... > but there seems to be a problem on the other end, as eapol_test shows: > > STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending > request, round trip time 0.05 sec > RADIUS packet matching with station > could not extract EAP-Message from RADIUS message
Yes. As I said, the supplicant may not like it if you don't complete the whole TLS conversation. At the minimum, you'll need to send an EAP Success packet inside of the EAP-Message attribute. But don't expect that to work. If the client certificate has expired, the odds are that the client *cannot* be authenticated, even with the sacrifice of small animals, and the sprinkling of their leavings in graveyards at midnight... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
