On Tue, Jul 24, 2012 at 03:47:03PM +0000, Morris, Andi wrote: > I'm getting an odd problem where even when my clients are > configured not to validate the server certificate (test > environment at the mo) on their wired connections they are > failing to authenticate on one freeradius server but getting > access-accept on another.
That error is generated when the client goes away in the middle of the EAP transaction. The most usual is that a Windows client sees a server certificate that it doesn't like for some reason, such as it missing the OIDs that Microsoft decided should be included. Hence the certificate compatibility problem. If you copy the server certs from the working server to the broken one, does it all start to work then? However, the client rejecting the cert isn't the only cause of this - anything that causes the client to stop doing EAP can give that error, for example client wandering out of range at the wrong moment, or the wireless system (AP / wireless controller / etc) disconnecting the client for some reason. EAP timers in Cisco Wireless Controllers can give this issue if set incorrectly (e.g. to the defaults... :) ) The error is basically "Hey, I was talking to you, but you've stopped responding". > Can anybody shed any light please? Diff the configs & certs for a start. Matthew -- Matthew Newton, Ph.D. <[email protected]> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <[email protected]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
