On Sat, 3 Oct 2015 00:01:14 +0100 Matthew Newton <mcn4@leicester.ac.uk> wrote: [snip]
So this is why you get on. The *second* auth request succeeds.
I wondered about that. Thanks for the analysis, Matthew!
Cleaning up request 4 ID 4 with timestamp +32 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x98bd76209cb86f3a did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Note state 0x98bd76209cb86f3a above - this is the *first* request.
Ah hah. I would've tried to make that association (no pun intended), but "for state <long-hex-string>" looked like some kind of, well, *state*. That's more like a... I dunno... session or sequence i.d., is it not?
So the question is... why did the client reject the first auth, but then immediately re-try and accept the certificate the second time.
I'd look at the client and see if you can get logs off it (hard on Windows I know, have to enable eap tracing, it's a right pig to read compared to -X on the server side...)
Ei yi yi :(
to see why it rejected the first time - if you can get anything from it. I'm assuming the TLS Server OID is in the cert because it works the second time, but worth checking anyway.
How do I check that?
Check the certificate chain to make sure that it all verifies OK and has nothing that looks odd about it.
It verifies. What to look for that would be "odd" about it?
Has the client got the root CA installed properly?
The client does not have the root CA installed at all. That was never necessary in the past. Note: The exact same user account with the exact same username and password exists on the production (live) network, and one of the APs is the exact same hardware and firmware, and the client authenticates just fine. So does every one of the other 26 or so wireless clients.
Try removing the entire client config and setting it up again. I've seen Win7 get itself confused and removing and adding the wireless settings has sorted it.
Well... okay. I'll give it a try on Monday. Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.