On Sat, Sep 12, 2015 at 09:25:25PM +0200, Stefano Pardini wrote:
I'm using PEAP/MSCHAPV2 and OpenLDAP password backend (and Samba3) to ... I didn't touch the configuration files in the last few months. Nothing has changed. The CA certificate is valid.
10 years is a long time for the server cert - are you sure that's the server cert you checked, not the CA? But from the debug logs it's not getting that far.
rad_recv: Access-Request packet from host 192.168.11.45 port 38247, id=42, length=189 User-Name = "pippo" ... EAP-Message = 0x02dc000a01706970706f
EAP response identity "pippo"
Sending Access-Challenge of id 42 to 192.168.11.45 port 38247 EAP-Message = 0x01dd00061920
EAP request PEAP
Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa0e49fa1a0398655bdbbb8b91da409d3 Finished request 0.
...
Sending duplicate reply to client OpenWrt port 38247 - ID: 42 Sending Access-Challenge of id 42 to 192.168.11.45 port 38247 Waking up in 2.0 seconds. Cleaning up request 0 ID 42 with timestamp +4 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xa0e49fa1a0398655 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Client didn't respond to the server. Again,
rad_recv: Access-Request packet from host 192.168.11.45 port 38247, id=42, length=189 User-Name = "pippo" ... EAP-Message = 0x02dc000a01706970706f
EAP response - identity "pippo"
Sending Access-Challenge of id 42 to 192.168.11.45 port 38247 EAP-Message = 0x01dd00061920
Server requests PEAP
Sending duplicate reply to client OpenWrt port 38247 - ID: 42 Sending Access-Challenge of id 42 to 192.168.11.45 port 38247 Waking up in 2.0 seconds. Cleaning up request 0 ID 42 with timestamp +4 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xa0e49fa1a0398655 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Client did not respond. Didn't get anywhere near as far as a cert exchange. You say nothing on the server changed. In that case, something on the AP or the clients did. You said "users", so I'll blindly assume multiple different clients are trying to connect, which likely eliminates the clients unless they are all identical. In which case, find out what's changed on your AP and fix that. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>