On 31 May 2014, at 10:35, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
So not just FR update but also the OS updated too...so possible eg samba upgrade too
I don't think anything majorly -- nothing like OpenSSL changing beyond some patches SuSE would have backported. Our password backend is a PostgreSQL server with Cleartext-Password being store; there is no Samba involved.
If the RPM blatted your config like that then it may also have done something to your EAP config too - eg certificates (especially if the debug shows the clients failing at that point) . Did your windows client have correct/secure EAP settings or was it just 'user/password don't care about cert details' mode?
I think the certs are all the same and being referenced the same -- we use a signed cert from the Janet Certificate Service and the chain all looks to be there (checking 'radiusd -X' output to see which files are read). My Windows 7 PC to test the same credentials is configured with the full 802.1X security setup - it only has the 'AddTrust External CA root' ticked, as well as the server name for the certificate as 'network.tokens.csx.cam.ac.uk'. If I change these settings on the PC to deliberately break them (such as ticket a different CA, or change the server name to 'network2.tokens.csx.cam.ac.uk') then the authentication fails (I do re-enter the credentials following this). So I think everything is being checked correctly. Also, that all the users of other platforms (>13,000 last week) are getting on without issue makes me think there's something odd here, like a chain certificate issue. I'm trying to lay my hands on a 2.3.5 device I can muck about with but it's proving tricky. Is there anything that can be determined from the raddebug output I sent (in terms of which end is stopping the EAP dialogue) or do I need to get more or a different type of output? - Bob -- Bob Franklin rcf34@cam.ac.uk / +44 1223 748479 Networks, University Information Services, University of Cambridge