Antony King wrote:
The 'live' server is a centos5.5 box. I've tried with the standard freeradius2 package (version 2.1.7) and a version compiled from SRPMS in case there was a problem with ttls in that version. The configuration was copied over from the test server, with new keys generated but otherwise unchanged.
Were the certs re-generated? They depend on the keys.
Locally, it authenticates correctly, using the first of the two commands above. If I try and authenticate from a remote system (eg, a NAS or my test server), it refuses to do the ttls negotiation.
This is the kind of problem where I would suggest "don't even try to debug it." Instead, follow the EAP howto on my web site (http://deployingradius.com). It will be faster and less work to re-create a working system, than to debug a broken one. Alan DeKok.