On Dec 13, 2024, at 8:33 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
As suggested, I added „debug_all" in the post-auth section before anything else:
post-auth { debug_all
if (Service-Type == Call-Check) { MAC_auth_log } else { 802.1x_auth_log }
Which shows there's no attribute session-state for packet 362, or for many earlier ones. If you look at the last few lines of the debug output, and see "no TLS-Session-Version", then the suspicion is that the TLS-Session-Version attribute is having issues. If, however, there's nothing in session-state, then the problem is elsewhere. That's why we always need (and read) the full debug log, ... (359) session-state: Saving cached attributes (359) Framed-MTU = 1014 And then in packet 360 and after: (360) WLAN-AKM-Suite = 1027075 (360) session-state: No cached attributes The State attribute in the Access-Challenge reply (packet 359) is the same as in the Access-Request (packet 360). So I'm not sure why it's not finding the saved attributes. I think the issue is that you're proxying to an internal virtual server, and somehow the session-state isn't saved / restored correctly. For now, don't do internal proxying, and it should work. I'll see if I can find time to track this down. Alan DeKok.