If it's "sometimes", then it would be wise to compare the debug log of
when the client succeeds and when it does not. Also, IIRC RHEL5 has
2.1.12 already, so you should upgrade just in case this is a fixed
bug.


just updated my testserver to 2.1.12.
I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, but the radius server seams to be ok now?


[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 1
[root@wlan-radius rad_eap_test-0.23]#

} # server inner-tunnel
[peap] Got tunneled reply code 2
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85
        MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "nagios"
[peap] Got tunneled reply RADIUS code 2
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85
        MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "nagios"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 9 to 172.21.15.1 port 59848
        EAP-Message = 0x010a003b19001703010030a46c09beb178741efc835036735026e09d8b1b1b44a88b55fce72fc28133dbf7e6edca8c0a65a6a2a85fd98eeeef2f6e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc9f5fd31c0ffe486f9e2896c0b298eff
Finished request 779.
Going to the next request
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 172.21.15.1 port 59848, id=10, length=226
        User-Name = "nagios"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "70-6F-6C-69-73-68"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "rad_eap_test + eapol_test"
        EAP-Message = 0x020a006019001703010020fcc074273699ca1e907af0200b96b3eaa01064887cff1a26b692f38602c3a48817030100309381801c8d424b14a2d053af534f137d1f632c69aa0572f0720bec578a1d6a61df79dc279e86b9f81d68dc6c81191e8f
        State = 0xc9f5fd31c0ffe486f9e2896c0b298eff
        Message-Authenticator = 0xb3249ed0ca17319a8d00741f734c974b
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nagios", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
Login OK: [nagios/<via Auth-Type = EAP>] (from client 172.21.15.1 port 0 cli 70-6F-6C-69-73-68)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> nagios
[sql] sql_set_user escaped user --> 'nagios'
[sql]   expand: %{User-Password} -> 
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} -> 
[sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'nagios',                           '',                           'Access-Accept', '2012-08-08 10:42:37')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'nagios',                           '',                           'Access-Accept', '2012-08-08 10:42:37')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 10 to 172.21.15.1 port 59848
        MS-MPPE-Recv-Key = 0x3a1be0edbc8566fc1b291ff8d09a4892ad61da4dc4a33927088e7c700d478e12
        MS-MPPE-Send-Key = 0x39a7512be1ea532b88619cf74533da41e180aeb57c6077287a98c82597f8cfa5
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "nagios"
Finished request 780.
Going to the next request
Waking up in 0.1 seconds.
 
--
kind regards,
Stefan
_______________________
www.epb.at - Your IT Partner in East Austria