Stuck at "More than 50 roundtrips"

[Alan DeKok]

On Oct 23, 2023, at 6:45 PM, thomas at habets.se wrote:
> I'm trying to set up EAP-TLS with certificates with an Android Pixel 7
> Pro, latest OS, via a Unifi U6 Pro, using FreeRadius 3.0.17

  3.0.26 has been out for a while.  I'd suggest using the most recent version.  It's likely that the issue is fixed.

  The version OpenSSL may also make a difference.

  One thing which could be an issue is that EAP-TLS was updated for TLS 1.3.  Version 3.0.26 has those updates.  3.0.17 doesn't.  And the Android system is likely trying to use TLS 1.3

  But since you only posted a tiny bit of the debug output, there's no way to tell.  I shouldn't have to explain why it's necessary to post the FULL debug output, as it's in all of the documentation.  Including the message you got when you joined the list.  After 20+ years of making these comments, they get more than a little tiring.

> After that there's just a bunch of apparently empty-ish repeating
> Access-Request/Access-Challenge[1], and it's stuck that way until:
> 
> (52) eap: ERROR: rlm_eap (EAP): Aborting! More than 50 roundtrips made
> in session with state 0x8e36e001bc25ed47

  That indicates that neither end is making progress.  Each end is waiting for the other end to do somethign

> What am I doing wrong? In this example I'm putting "wifi" as identity,
> in case it helps that it's present in the user config.

  There is very little you can do to make the server get stuck in a loop.  i.e. no normal configuration should do this.

  So what's left 

> I expect that at some point the server should reply Accepted, instead
> of a new challenge. I guess the client cert was not enough auth? Is
> there a config I need to change so that cert is sufficient?

  It's not a certificate issue.  Or at least very very likely to not be a certificate issue.

> I'd appreciate any help. Thanks.

  Upgrade.  If it works, move on to something else.

  Alan DeKok.