Good morning, Yes: new server (RHEL 5.4 -> CentOS 7.1) + new version of openssl (OpenSSL 0.9.8e-fips -> OpenSSL 1.0.1e-fips) I will have a look to your suggestions: - examining and comparing the access accept packets - disabling tlsv1_2 Thank you so much for your help, Alan and Arran! Regards, *Oscar Remírez de Ganuza Satrústegui* IT Services Universidad de Navarra Tel. +34 948425600 x803130 http://www.unav.edu/web/it/ On Thu, Nov 19, 2015 at 9:21 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
As I told on a previous email, we are migrating previous radius (2.1.9) authentication to a new instance of freeradius (3.0.10).
new server? new version of openssl on the new server?
if the access accept packet is the same as that from 2.1.9 then the issue is somewhere else. I'd examine that last access accept packet.
but my first instinct is that this is a MPPE key issue - access accept okay but the IOS device not likeing the derived keys - validate this by putting
disable_tlsv1_2 = yes
into the tls {} section of your eap module
i think this issue is fixed in 3.0.x HEAD (?)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html