Android 2.3.5 supplicants failing after upgrade to FreeRADIUS 2.2.5 from 2.2.0
Robert Franklin
rcf34 at cam.ac.uk
Mon Jun 2 11:47:48 CEST 2014
On 31 May 2014, at 10:35, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> So not just FR update but also the OS updated too...so possible eg samba upgrade too
I don't think anything majorly -- nothing like OpenSSL changing beyond some patches SuSE would have backported. Our password backend is a PostgreSQL server with Cleartext-Password being store; there is no Samba involved.
> If the RPM blatted your config like that then it may also have done something to your EAP config too - eg certificates (especially if the debug shows the clients failing at that point) . Did your windows client have correct/secure EAP settings or was it just 'user/password don't care about cert details' mode?
I think the certs are all the same and being referenced the same -- we use a signed cert from the Janet Certificate Service and the chain all looks to be there (checking 'radiusd -X' output to see which files are read).
My Windows 7 PC to test the same credentials is configured with the full 802.1X security setup - it only has the 'AddTrust External CA root' ticked, as well as the server name for the certificate as 'network.tokens.csx.cam.ac.uk'. If I change these settings on the PC to deliberately break them (such as ticket a different CA, or change the server name to 'network2.tokens.csx.cam.ac.uk') then the authentication fails (I do re-enter the credentials following this). So I think everything is being checked correctly.
Also, that all the users of other platforms (>13,000 last week) are getting on without issue makes me think there's something odd here, like a chain certificate issue.
I'm trying to lay my hands on a 2.3.5 device I can muck about with but it's proving tricky.
Is there anything that can be determined from the raddebug output I sent (in terms of which end is stopping the EAP dialogue) or do I need to get more or a different type of output?
- Bob
--
Bob Franklin rcf34 at cam.ac.uk / +44 1223 748479
Networks, University Information Services, University of Cambridge
More information about the Freeradius-Users
mailing list