Sudden User Authentication Rejection as a result Compatibility - error

Paul Thornton prt at prt.org
Mon Feb 23 14:40:40 CET 2015


Hi all,

On 23/02/2015 12:30, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> come to light in a big way this morning), "nothing changed
>> anywhere", it had been working fine for years and the issue affects
>> machines with Win7 and higher.  Phones, Macs etc. all authenticate
>> just fine.
>>
>> I haven't progressed much further down the troubleshooting path, so
>> don't have much concrete to suggest, but if it is a similar problem,
>> the server is not at fault and it is a client issue as others have
>> already suggested.
>>
>> I'm about to embark on debugging in the depths of the Windows 802.1x
>> client; if I do find anything I'll post here for the sake of the
>> archives.
>
> as already emntioned, there have been windows updates that have gone out recently
> that have caused many a mischief. we've not been affected (probably because we
> have our own CA for this...) - I suspect a certificate CA update on the clients
> which has meant the root CA or an intermediate are no longer known or trusted
> correctly.  if the RADIUS server pushed out it cert and ALL the chain, then local
> intermediates SHOULDNT be an issue...but if the root is no longer correctly
> known then that would be ka-blam!

Reporting back here, as promised; whilst this must be a Windows client 
specific problem, the actual cause in my case was the Win2003 IAS server 
applying an update last week (KB3023562).  Removing that fixes things.

The certs all looked perfectly sensible with no issues validating.

My best guess here is that the Windows clients are doing something 
"clever" and "Microsofty" that tickles something in IAS when it has that 
patch applied.  It could well be that the clients also updated something 
at the same time and the combined effect broke the functionality.  As 
Alan says, MS do seem to be giving this code a good shake-up at the moment.

We're now in IAS territory and not FreeRADIUS so I'll shut up here :)

Paul.


More information about the Freeradius-Users mailing list