答复: EAP-TLS used to be working, replaced Wifi AP, reimported backed-up config, EAP-TLS not working anymore

Tue Jun 26 09:01:38 CEST 2012

I think you should post all the log , maybe somebody will find the reason.

-----邮件原件-----
发件人: freeradius-users-bounces+guanxu=aotuis.com at lists.freeradius.org
[mailto:freeradius-users-bounces+guanxu=aotuis.com at lists.freeradius.org] 代
表 Benjamin Malynovytch
发送时间: 2012年6月21日 23:26
收件人: freeradius-users at lists.freeradius.org
主题: EAP-TLS used to be working, replaced Wifi AP, reimported backed-up
config, EAP-TLS not working anymore

Dear list members,

Before writing this email, I spent hours in debug and reading ML and howto.

The configuration I'm trying to debug was working a couple of weeks ago.
The wifi access point became faulty (antenna broken) and was replaced in RMA
(Cisco WAP200-EU).
Before sending the AP back, I saved the configuration file through the
dedicated wizard provided by the web GUI.

When the new one arrived, I updated the firmware with the same as the one
that used to be in production (I still had the binary file) and reuploaded
the configuration file. (Fw rev: 2.0.4.0-ETSI) All the configuration seemed
to be restored as expected, as well as the 802.1X parameters (IP / port of
FR, shared key, mode ...) IP and port are fine, as well as the shared key
that I already tried to change (removing special chars). Mode is set to
"WPA2 Enterprise"  
(encryption to AES)

Before I give more details on the configuration, here are some details :
- certs are generated using the Makefile provided with Freeradius, with
special OIDs (openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf)
- I followed the FAQ and the official howtos a couple of times, starting all
over without success
- FreeRadius v2.1.10 on CentOS 6.2 x86_64

What works :
- eapol_test with my personal client cert receives "Access-Accept"
- using the AP configuration on a network switch, enabling 802.1X with the
same parameters works (even though time between each Access-Challenge is
quite long, around 5 secs)

What doesn't work : wifi auth keeps exchanging Access-Challenge, ending by
"EAP session for state ... did not finish! ... bla bla bla"
Tests are made with a MacBook, using Mac OS X Lion. CA and client certs are
setup properly and used to be working like a charm before RMA. I also tested
a pair of iPhone and a Windows 7 notebook that also used to be working
properly.
On the Mac Book, I don't need to change any setting in the configuration
(certs or params) to use either wifi or ethernet with 802.1X. Ethernet works
while Wifi doesn't.

I tried to reduce packet fragmentation to 768. Conf used to be working well
with default.

You will find the full configuration file (the working configuration was
reduced to minimal, test ones are based on the default file set provided
with FR, giving exactly same behavior) linked at the end of this mail.

What I would like at first, is an advice on where to search, as the
configuration of FR used to be working well, as well as the client
certificates and the client configurations.

Thanks in advance for your help.

/etc/raddb/radiusd.conf : http://paste.org/50823 /etc/raddb/users :
http://paste.org/50822 radiusd -d /etc/raddb -X : http://paste.org/50824

Best regards,

--
Benjamin MALYNOVYTCH
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html