If it's "sometimes", then it would be wise to compare the debug log of when the client succeeds and when it does not. Also, IIRC RHEL5 has 2.1.12 already, so you should upgrade just in case this is a fixed bug.
just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, but the radius server seams to be ok now? [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 1 [root@wlan-radius rad_eap_test-0.23]# } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85 MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "nagios" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85 MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "nagios" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 9 to 172.21.15.1 port 59848 EAP-Message = 0x010a003b19001703010030a46c09beb178741efc835036735026e09d8b1b1b44a88b55fce72fc28133dbf7e6edca8c0a65a6a2a85fd98eeeef2f6e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9f5fd31c0ffe486f9e2896c0b298eff Finished request 779. Going to the next request Waking up in 0.1 seconds. rad_recv: Access-Request packet from host 172.21.15.1 port 59848, id=10, length=226 User-Name = "nagios" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x020a006019001703010020fcc074273699ca1e907af0200b96b3eaa01064887cff1a26b692f38602c3a48817030100309381801c8d424b14a2d053af534f137d1f632c69aa0572f0720bec578a1d6a61df79dc279e86b9f81d68dc6c81191e8f State = 0xc9f5fd31c0ffe486f9e2896c0b298eff Message-Authenticator = 0xb3249ed0ca17319a8d00741f734c974b # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nagios", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok Login OK: [nagios/<via Auth-Type = EAP>] (from client 172.21.15.1 port 0 cli 70-6F-6C-69-73-68) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> nagios [sql] sql_set_user escaped user --> 'nagios' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'nagios', '', 'Access-Accept', '2012-08-08 10:42:37') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'nagios', '', 'Access-Accept', '2012-08-08 10:42:37') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 10 to 172.21.15.1 port 59848 MS-MPPE-Recv-Key = 0x3a1be0edbc8566fc1b291ff8d09a4892ad61da4dc4a33927088e7c700d478e12 MS-MPPE-Send-Key = 0x39a7512be1ea532b88619cf74533da41e180aeb57c6077287a98c82597f8cfa5 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "nagios" Finished request 780. Going to the next request Waking up in 0.1 seconds. -- kind regards, Stefan _______________________ www.epb.at - Your IT Partner in East Austria