curious network problem

[Antony King]

*edit*
After writing most of the below, I used iperf to check that UDP packets were 
getting through, and discovered that after about 4 packets the stream was 
getting dropped. This turned out to be caused by vmware sitting on the 
interface I was connecting to and doing 'something' - not sure what - to the 
udp stream. Coming in on a different interface has solved the problem.

Thanks for your help,
Antony.

On Tuesday 17 August 2010 10:26:05 Alan DeKok wrote:
> Antony King wrote:
> > I did 'make destroycerts', then 'make' in the certs directory. It should
> > all be new in there.
> 
>   OK.
> 
> > it's just very frustrating that it all works perfectly if you
> > are localhost, but not if you are a remote host.
> 
>   Or maybe "it works from localhost with eapol_test, which is simple and
> sane", and "it doesn't work remotely with Windows, which is insane and
> ridiculously complicated"
...
>   If it works with eapol_test, and not with Windows, blame Windows.  If
> you have all of the right certs && config on the Windows machine (as
> shown on my web site), then that version of Windows is broken.  Use
> another Windows machine and it should work.
 

I've not got any windows kit on my network at all. I'm using eapol_test 
throughout at the moment (see my first email for the commands that I used)

I've just recompiled from the same 2.1.9 tarball that I used on the working 
server, done the absolute bare minimum to configure (your howto said it should 
pretty much work out of the box with no config for eap), and I've got the same 
results - ie, eapol-test works from localhost but not remotely. The same test 
using the same two machines swapped over, ie, client on the 'live' machine, 
server on my dev machine, works fine.

The procedure I followed to to this most recent install were:

uninstall freeradius from the broken server, move all the configs out the way
copy + extract freeradius_2.1.9+git.tar.gz from my working server to the 
broken one
./configure
discover I don't have mysql-devel, python-devel and gdbm-devel. Use yum to 
install those, make clean, ./configure again, then make install

All the config files have been installed to /usr/local/etc/raddb, which suits 
me as I don't like doing 'make install' on a rpm based machine!

in ./certs, edit the three .cnf files, do 'make'
edit clients.conf to allow the remote machine to connect:

client 192.168.0.0/16 {
nastype = other
secret = testing123
shortname = name
}

take out the '#' before 'include sql' in radiusd.conf and in sites-
enabled/inner-tunnel
change the mysql password in sql.conf

put 'copy_request_to_tunnel' in eap.conf in the ttls section, so that I can 
check for calling_station_Id at 

The radcheck table database is identical on both machines and contains this:

mysql> select * from radcheck;
+----+----------+--------------------+----+--------------+
| id | username | attribute          | op | value        |
+----+----------+--------------------+----+--------------+
|  1 | u        | Cleartext-Password | := | p            |
|  7 | o        | Calling-Station-Id | := | 00197e18c21b |
|  6 | n        | Auth-type          | := | EAP          |
|  4 | m        | Cleartext-Password | := | p            |
|  5 | m        | Calling-Station-Id | := | 00197eb8c20a |
|  8 | o        | Cleartext-Password | := | p            |
|  9 | john     | Cleartext-Password | := | password1    |
+----+----------+--------------------+----+--------------+
7 rows in set (0.00 sec)

I believe that's all I changed from the default config. Still doesn't work 
though - fails in exactly the same way.

I'm pretty sure the network between the two machines is clear - would it give 
a comms error if some packets were getting truncated if there were, eg a MTU 
issue?