Norbert Wegener wrote:
freeradius now sends a Message-Authenticator with value 0x00: ... but there seems to be a problem on the other end, as eapol_test shows:
STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.05 sec RADIUS packet matching with station could not extract EAP-Message from RADIUS message
Yes. As I said, the supplicant may not like it if you don't complete the whole TLS conversation. At the minimum, you'll need to send an EAP Success packet inside of the EAP-Message attribute. But don't expect that to work. If the client certificate has expired, the odds are that the client *cannot* be authenticated, even with the sacrifice of small animals, and the sprinkling of their leavings in graveyards at midnight... Alan DeKok.