EAP on Cisco Cat2960 & Aironet1200: TLS Fails

Alan DeKok aland at deployingradius.com
Tue Feb 13 08:27:46 CET 2007

Senandung Mendonan wrote:
> Problem: EAP Fails (Doesn't even get to TLS negotiation). In both
> cases, we get perpetual "Access-Challenge" messages sent by
> FreeRADIUS, at a very early stage — even before / during the initial
> TLS negotiation in EAP.

  No... the NAS isn't seeing the response of the RADIUS server, so it
re-sends the Access-Request, the server notices the duplicate request,
and re-sends it's response.

  Since the NAS isn't seeing the response of the server, it doesn't see
the duplicate response, either.  So it starts over from scratch.

  i.e. RADIUS is driven by the NAS, not by the RADIUS server.  Saying
"perpetual Access-Challenge" means you're thinking that the server is
somehow in charge of the conversation flow.  It's not.  If the server is
sending perpetual Access-Challenges, it's because the client is sending
perpetual Access-Requests, and ignoring the challenge responses.

  Since the same IOS version seems to work for someone else, the problem
is local to you.  Please see the FAQ for what to do when the NAS never
sees the response from the server.

  Alan DeKok.
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Users mailing list