HP M200 certificate authentication fails

Gordon Cook gcook at ssmic.com
Fri Jul 25 21:11:59 CEST 2014

Thanks for the help.  I do really appreciate it.

Just to be clear.  I am not blaming freeRadius.  If anything I agree it is the AP.   I just wanted to make sure that there wasn't a setting or something somewhere that would allow the two to talk to each other.  Again being new to freeRadius I was not sure so wanted to ask.  One of the reasons I picked HP was to try and stay with standards based equipment.  I have a number of switches from HP and they all work great.  This is the first real issue I have had with them.

Gordon Cook
Network Administrator
Sault Ste Marie Innovation Centre
Work: 705-942-6938 x3042
Cell:     705-971-3852

-----Original Message-----
From: freeradius-users-bounces+gcook=ssmic.com at lists.freeradius.org [mailto:freeradius-users-bounces+gcook=ssmic.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, July 25, 2014 2:35 PM
To: FreeRadius users mailing list
Subject: Re: HP M200 certificate authentication fails

Gordon Cook wrote:
> I then installed the certificates on all our windows laptops.  I am 
> using laptop1 for testing
> Originally I had a CISCO AP connected to the radius server and 
> everything works. (wireless_ap1)

  Then all of the things involved are proven to work.

> We needed to upgrade our wireless and purchased an HP AP. 
> (wireless_ap2)
> So
> Laptop1 <---------> wireless_ap1 <-----------> radius1     this works using the above certificates
> Laptop1 <---------> wireless_ap2 <-----------> radius1     this does not work using the above certificates
> Laptop1 <---------> wireless_ap2 <-----------> radius1     using EAP-TLS and PAP works.

  Then the problem is the HP AP.  You've already proven that FreeRADIUS works.  When you change ONLY the AP, and EAP doesn't work... blame the AP.

> This is where I am confused.  If it is the supplicant why would it work with wireless_ap1 and not wireless_ap2 using the same settings and credentials.  This is what leads me to believe that the HP is doing something different with the packets than the the CISCO is and there is a setting in one of the config files on the radius server that needs to set or adjusted to handle the difference.

  That is entirely the wrong approach.  "Changing something" is pretty much magical thinking.

  Instead, find the *cause* of the problem, and fix *that*.  There is no magical setting in FreeRADIUS saying "work with HP".  The default configuration should work with every standards-compliant RADIUS client.

> I am currently running the eaphost trace again to see if there is something I missed.

  Stop blaming FreeRADIUS.  Throw the HP AP in the garbage, and buy an AP that works.

  Alan DeKok.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list