PEAP/MSCHAPv2 problem

[Stefan Winter]

Hi,

> No, the machines are indetical, only changed IP, hostname and
certificates.
> No updates or something.

Okay...

> I put the debug output in appendix.
> Sorry i had to remove passwords and IPs because of security reasons, i
> think you will understand ;-)

That part of mangling is okay :-)

>> If you positively want to rule out that the certificate change was the
>> problem, you could, if your CA's policy allows, install the old server's
>> certificate on the new instance. For IEEE 802.1X, there is no
>> requirement that DNS names and CN/subjectAltNames match.
> This was the first thing i tried...

Good!

Looking at the output, things become clearer. The "conversation" ends
when the server tries to send the first Access-Challenge packet to the
client. It seems like that packet never gets there - and so the client
retransmits the same Request over and over again. The server then
repeatedly tries to re-send its reply, but again, it never seems to get
there.

Make sure that the changed IP address doesn't lead to some firewall
(host FW? net FW? Cisco Controller's ACLs?) eats the responses.

At least it is now apparent that it's not a certificate issue - the EAP
conversation doesn't even get far enough to send certificate data at all.

In any case, I don't think the FreeRADIUS server process is to be blamed
- it sends a well-formed response to a reasonable request. Something's
wrong between the server OS and the supplicant.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110405/6a6fe808/attachment.pgp>