Certificate validation checkbox - windows 7 wired

Matthew Newton mcn4 at leicester.ac.uk
Tue Jul 24 18:10:43 CEST 2012


On Tue, Jul 24, 2012 at 03:47:03PM +0000, Morris, Andi wrote:
> I'm getting an odd problem where even when my clients are
> configured not to validate the server certificate (test
> environment at the mo) on their wired connections they are
> failing to authenticate on one freeradius server but getting
> access-accept on another.

That error is generated when the client goes away in the middle of
the EAP transaction. The most usual is that a Windows client sees
a server certificate that it doesn't like for some reason, such as
it missing the OIDs that Microsoft decided should be included.
Hence the certificate compatibility problem.

If you copy the server certs from the working server to the broken
one, does it all start to work then?

However, the client rejecting the cert isn't the only cause of
this - anything that causes the client to stop doing EAP can give
that error, for example client wandering out of range at the wrong
moment, or the wireless system (AP / wireless controller / etc)
disconnecting the client for some reason. EAP timers in Cisco
Wireless Controllers can give this issue if set incorrectly (e.g.
to the defaults... :) )

The error is basically "Hey, I was talking to you, but you've
stopped responding".

> Can anybody shed any light please?

Diff the configs & certs for a start.

Matthew



-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list