EAP-TLS used to be working, replaced Wifi AP, reimported backed-up config, EAP-TLS not working anymore

Thu Jun 21 17:26:29 CEST 2012

Dear list members,

Before writing this email, I spent hours in debug and reading ML and howto.

The configuration I'm trying to debug was working a couple of weeks ago.
The wifi access point became faulty (antenna broken) and was replaced in  
RMA (Cisco WAP200-EU).
Before sending the AP back, I saved the configuration file through the  
dedicated wizard provided by the web GUI.

When the new one arrived, I updated the firmware with the same as the one  
that used to be in production (I still had the binary file) and reuploaded  
the configuration file. (Fw rev: 2.0.4.0-ETSI)
All the configuration seemed to be restored as expected, as well as the  
802.1X parameters (IP / port of FR, shared key, mode ...)
IP and port are fine, as well as the shared key that I already tried to  
change (removing special chars). Mode is set to "WPA2 Enterprise"  
(encryption to AES)

Before I give more details on the configuration, here are some details :
- certs are generated using the Makefile provided with Freeradius, with  
special OIDs (openssl ca -batch -keyfile ca.key -cert ca.pem -in  
client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext  
-extfile xpextensions -config ./client.cnf)
- I followed the FAQ and the official howtos a couple of times, starting  
all over without success
- FreeRadius v2.1.10 on CentOS 6.2 x86_64

What works :
- eapol_test with my personal client cert receives "Access-Accept"
- using the AP configuration on a network switch, enabling 802.1X with the  
same parameters works (even though time between each Access-Challenge is  
quite long, around 5 secs)

What doesn't work : wifi auth keeps exchanging Access-Challenge, ending by  
"EAP session for state ... did not finish! ... bla bla bla"
Tests are made with a MacBook, using Mac OS X Lion. CA and client certs  
are setup properly and used to be working like a charm before RMA. I also  
tested a pair of iPhone and a Windows 7 notebook that also used to be  
working properly.
On the Mac Book, I don't need to change any setting in the configuration  
(certs or params) to use either wifi or ethernet with 802.1X. Ethernet  
works while Wifi doesn't.

I tried to reduce packet fragmentation to 768. Conf used to be working  
well with default.

You will find the full configuration file (the working configuration was  
reduced to minimal, test ones are based on the default file set provided  
with FR, giving exactly same behavior) linked at the end of this mail.

What I would like at first, is an advice on where to search, as the  
configuration of FR used to be working well, as well as the client  
certificates and the client configurations.

Thanks in advance for your help.

/etc/raddb/radiusd.conf : http://paste.org/50823
/etc/raddb/users : http://paste.org/50822
radiusd -d /etc/raddb -X : http://paste.org/50824

Best regards,

-- 
Benjamin MALYNOVYTCH