HI! I'm running a Wifi access point with hostapd 2.9 and FreeRADIUS 3.0.22 [1] running on raspberry pi armv6 (32-bit) with openSUSE Tumbleweed (kernel 5.12.3). OpenLDAP (Æ-DIR) is used as user management backend. Client is also a Laptop with openSUSE Tumbleweed x86_64 and the usual Network Manager setup with WPA2 with EAP-TTLS/PAP. In general the configuration seems to work and I had no issues with 3.0.21. But with 3.0.22 every now and then it does not work anymore. Restarting radiusd "fixes" it for some time. Unfortunately I did not find a way to easily reproduce it. In syslog I see these messages (first line is the last good case before failure): 2021-05-21T17:24:13.571211+00:00 ap1 radiusd[1728]: (13) Login OK: [miwi] (from client localhost port 1 cli 84-EF-18-F7-9E-6E) 2021-05-21T18:18:31.765761+00:00 ap1 radiusd[1728]: (20) Invalid user (ldap: Bind with (anonymous) to ldaps://ae-dir.hv.local:636 failed: Local error): [miwi] (from client localhost port 0 via TLS tunnel) 2021-05-21T18:18:31.772668+00:00 ap1 radiusd[1728]: (20) Login incorrect (ldap: Bind with (anonymous) to ldaps://ae-dir.hv.local:636 failed: Local error): [miwi] (from client localhost port 0 via TLS tunnel) 2021-05-21T18:18:31.775870+00:00 ap1 radiusd[1728]: (20) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [miwi] (from client localhost port 1 cli 84-
From the above I suspect radiusd does not properly properly reconnect as configured with SASL/EXTERNAL bind (using its EAP-TLS server cert as client cert) probably after reaching idle connection timeout. Instead it seems to use an anonymous bind.
Any clue what's going on here? Ciao, Michael. [1] https://build.opensuse.org/package/show/home:stroeder:iam/freeradius-server