random 3.0.22 issues with hostapd

Michael Ströder michael at stroeder.com
Sat May 22 00:58:19 CEST 2021


HI!

I'm running a Wifi access point with hostapd 2.9 and FreeRADIUS 3.0.22
[1] running on raspberry pi armv6 (32-bit) with openSUSE Tumbleweed
(kernel 5.12.3). OpenLDAP (Æ-DIR) is used as user management backend.

Client is also a Laptop with openSUSE Tumbleweed x86_64 and the usual
Network Manager setup with WPA2 with EAP-TTLS/PAP.

In general the configuration seems to work and I had no issues with 3.0.21.

But with 3.0.22 every now and then it does not work anymore. Restarting
radiusd "fixes" it for some time. Unfortunately I did not find a way to
easily reproduce it.

In syslog I see these messages (first line is the last good case before
failure):

2021-05-21T17:24:13.571211+00:00 ap1 radiusd[1728]: (13) Login OK:
[miwi] (from client localhost port 1 cli 84-EF-18-F7-9E-6E)
2021-05-21T18:18:31.765761+00:00 ap1 radiusd[1728]: (20)   Invalid user
(ldap: Bind with (anonymous) to ldaps://ae-dir.hv.local:636 failed:
Local error): [miwi] (from client localhost port 0 via TLS tunnel)
2021-05-21T18:18:31.772668+00:00 ap1 radiusd[1728]: (20)   Login
incorrect (ldap: Bind with (anonymous) to ldaps://ae-dir.hv.local:636
failed: Local error): [miwi] (from client localhost port 0 via TLS tunnel)
2021-05-21T18:18:31.775870+00:00 ap1 radiusd[1728]: (20) Login incorrect
(eap: Failed continuing EAP TTLS (21) session.  EAP sub-module failed):
[miwi] (from client localhost port 1 cli 84-

>From the above I suspect radiusd does not properly properly reconnect as
configured with SASL/EXTERNAL bind (using its EAP-TLS server cert as
client cert) probably after reaching idle connection timeout. Instead it
seems to use an anonymous bind.

Any clue what's going on here?

Ciao, Michael.

[1]
https://build.opensuse.org/package/show/home:stroeder:iam/freeradius-server




More information about the Freeradius-Users mailing list