I am sure that this is not related to FreeRADIUS but I have seen the topic posted here so I wanted to post my research for those that search these archives.
It appears to be a common problem of having a Windows Client (specifically with the wZc utility) which gets stuck in a loop of constantly verifying authorization and obtaining an IP. I, personally, can see from my radiusd -A -X output that the entire auth/autz process succeeds -- on EVERY pass of the loop. AFTER applying the MS Hotfix KB885453, I still have my clients periodically stuck in a loop (as according to the RADIUS server showing the same debug info over and over). I have found that it appears to be due to my access point (D-Link DWL-3200AP) REBOOTING! Here is what I told my D-Link rep: "These steps help to illustrate the problem: logged into the windows domain. configured the wireless interface for WPA using automatically provided windows credentials successfully and immediately logged on to the wireless WPA network logged out logged back into the windows domain and it successfuly and immediately connected to the WPA network rebooted logged into domain, it took 3 (THREE) minutes to login (using cached credentials) -- This entire time NO connections were made to the RADIUS server after finally logging in I notice that about 40 pings to the AP were dropped before it came back to life and suddenly 260 buffered RADIUS requests were sent to the RADIUS server After the 260th, the windows computer successfully connected to the wpa wireless network It is important to note that DURING a windows domain logon (and simultaneously a connection to the WPA wireless network) the AP REBOOTED." Is my hypothesis correct -- that it is the AP? Do I have enough information to make that determination? To anyone that would like to help me troubleshoot the issue, let me know if I can provide more information or logs or debug output or whatever... BTW, I also have syslog logs (DWL-3200AP can log to a syslogger...) proving that the AP REBOOTED and not just some of my pings were dropped. Stefan Here is my configuration: D-Link DWL-3200AP FW2.10, WPA-Enterprise w/AES, multi-SSID support, VLAN support FreeRADIUS 1.1.0-pre0 (snapshot-20051220) Windows XP SP2, 802.1x, EAP-PEAP, MS-CHAPv2 radiusd.conf: proxy_requests = no $INCLUDE ${confdir}/proxy.conf modules { unix { radwtmp = ${logdir}/radwtmp } mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } ldap { server = "<snip>" identity = "<snip>" password = <snip> basedn = "<snip>" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" tls { ... } access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 auto_header = no access_attr_used_for_allow = yes } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = <snip> private_key_file = /etc/1x/server.pem certificate_file = /etc/1x/server.pem CA_file = /etc/1x/root.pem dh_file = /etc/1x/DH random_file = /etc/1x/random include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes } mschapv2 { } } realm ntdomain { format = prefix delimiter = "\\" } preprocess { : with_ntdomain_hack = no : } } authorize { preprocess ntdomain eap ldap } authenticate { Auth-Type MS-CHAP { mschap } eap } clients.conf: client 172.16.16.0/24 { secret = testing123 shortname = ap } client 172.16.254.0/24 { secret = testing123 shortname = server } proxy.conf: realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = LOCAL accthost = LOCAL } [ If SSID Authorization is desired: modules { ldap { filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusCalledStationId=%{Called-Station-ID}))" } attr_rewrite getssid { attribute = Called-Station-Id # may be "packet", "reply", "proxy", "proxy_reply" or "config" searchin = packet # Strip the MAC Address out of the Called-Station-ID # Resulting in just the SSID searchfor = ".................:" replacewith = "" ignore_case = yes new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended to th # append = no } } authorize { : eap getssid ldap : } ] Windows XP: Apply this Pre-SP3 Hotfix: http://support.microsoft.com/?kbid=885453 Windows Network Connection Properties: Preferred networks, [SSID] Properties: Association: Network Auth: WPA Data Enc: AES Authentication: EAP Type: PEAP Properties: X Validate Server certificate [You must install the Root CA certificate into the trsuted root ca list and choose it here.] EAP-MS-CHAP v2 Configure: X Automatically use my Windows logon name and Password (IF PC IS JOINED TO DOMAIN) [ ] Automatically use my Windows logon name and Password (IF NOT JOINED) X Enable Fast Reconnect - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html