Certificate problem between 3.0.11 and 3.1.x

Franks Andy (IT Technical Architecture Manager) Andy.Franks at sath.nhs.uk
Fri Mar 18 00:03:38 CET 2016 

Hmm, this thread got me interested - we were running 3.1.0 # 390f216 (around april 2015 I think) up until recently and it was fine with PEAP-EAP-MSCHAPv2/TLS, not that we used it much, but I did test it. 
Now with our last git pull (64aa7f9) it doesn't work, same message about EAP not finishing. It also behaves the same with PEAP-EAP-TLS. Hopefully that helps a bit, but I understand it's quite a wide time-span.

eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
eap: !! EAP session 0x17ac0b0 did not finish!                                 !!
eap: !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !!
eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Thanks
Andy
  
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Arran Cudbard-Bell
Sent: 16 March 2016 18:38
To: FreeRadius users mailing list
Subject: Re: Certificate problem between 3.0.11 and 3.1.x


> On 16 Mar 2016, at 16:44, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Mar 16, 2016, at 10:23 AM, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:
>> Well, I wasn't able to get any useful debugging information out of Windows so we have reluctantly taken the decision to revert from bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were having by avoiding it. We'll revisit this when 3.2.x is released.
> 
>  If you have time... it would help to know when 3.1 stopped working.  You could grab a copy of 3.1 from early 2015, and see if it works.  If so, do a binary search on the commits until you get one which works, and one shortly after that which doesn't.
> 
>  That would at least help us narrow down what changed.  And would likely allow us to fix the problem.

Using current v3.1.x HEAD and running with -Xxx or a debug condition with debug level 3 set would also help.

We could compare the unencrypted tunnel data to what we see with wpa_supplicant and see what's different.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org> FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list