Sudden User Authentication Rejection as a result Compatibility - error
Paul Thornton
prt at prt.org
Mon Feb 23 13:07:49 CET 2015
On 23/02/2015 11:13, Adam Bishop wrote:
> On 23 Feb 2015, at 10:40, Clement Ogedengbe <c.ogedengbe at worc.ac.uk> wrote:
>> Our primary server has really gone "bunker". Sometimes last week (after server ran without hitches for 2 years), started rejecting users by reporting certificate compatibility problem at the debug level.
>>
>> After correcting the access privileges to certificates (which I observed may not be correct), the service resumed, but ran successfully only for 2 days and started rejecting users by reporting certificate compatibility problem.
>
> The debug log you've posted is _not_ the server rejecting anything - it's the client choosing not to authenticate. The warning is simply a suggestion of the likely cause.
>
> Any time FreeRADIUS rejects a user, it will _always_ send an explicit Access-Reject (unless configured otherwise, or using PEAP with retries). If this is what you're now seeing you need to post a much more complete log.
>
> It may ultimately turn out that FreeRADIUS is misbehaving, but the only thing that can tell you why the client is choosing not to authenticate is the client. What supplicant is in use?
At the risk of taking this a little off-topic for freeradius-users, I'm
currently troubleshooting a PEAP-related auth problem where the server
is IAS and FreeRADIUS isn't involved that sounds suspiciously similar to
the OP's problem.
The common factor with this is that it started going wrong last week (it
is a college in the UK, who were on half term then, so this has come to
light in a big way this morning), "nothing changed anywhere", it had
been working fine for years and the issue affects machines with Win7 and
higher. Phones, Macs etc. all authenticate just fine.
I haven't progressed much further down the troubleshooting path, so
don't have much concrete to suggest, but if it is a similar problem, the
server is not at fault and it is a client issue as others have already
suggested.
I'm about to embark on debugging in the depths of the Windows 802.1x
client; if I do find anything I'll post here for the sake of the archives.
Paul.
--
Paul Thornton
More information about the Freeradius-Users
mailing list