*edit* After writing most of the below, I used iperf to check that UDP packets were getting through, and discovered that after about 4 packets the stream was getting dropped. This turned out to be caused by vmware sitting on the interface I was connecting to and doing 'something' - not sure what - to the udp stream. Coming in on a different interface has solved the problem.
Thanks for your help, Antony. On Tuesday 17 August 2010 10:26:05 Alan DeKok wrote: > Antony King wrote: > > I did 'make destroycerts', then 'make' in the certs directory. It should > > all be new in there. > > OK. > > > it's just very frustrating that it all works perfectly if you > > are localhost, but not if you are a remote host. > > Or maybe "it works from localhost with eapol_test, which is simple and > sane", and "it doesn't work remotely with Windows, which is insane and > ridiculously complicated" ... > If it works with eapol_test, and not with Windows, blame Windows. If > you have all of the right certs && config on the Windows machine (as > shown on my web site), then that version of Windows is broken. Use > another Windows machine and it should work. I've not got any windows kit on my network at all. I'm using eapol_test throughout at the moment (see my first email for the commands that I used) I've just recompiled from the same 2.1.9 tarball that I used on the working server, done the absolute bare minimum to configure (your howto said it should pretty much work out of the box with no config for eap), and I've got the same results - ie, eapol-test works from localhost but not remotely. The same test using the same two machines swapped over, ie, client on the 'live' machine, server on my dev machine, works fine. The procedure I followed to to this most recent install were: uninstall freeradius from the broken server, move all the configs out the way copy + extract freeradius_2.1.9+git.tar.gz from my working server to the broken one ./configure discover I don't have mysql-devel, python-devel and gdbm-devel. Use yum to install those, make clean, ./configure again, then make install All the config files have been installed to /usr/local/etc/raddb, which suits me as I don't like doing 'make install' on a rpm based machine! in ./certs, edit the three .cnf files, do 'make' edit clients.conf to allow the remote machine to connect: client 192.168.0.0/16 { nastype = other secret = testing123 shortname = name } take out the '#' before 'include sql' in radiusd.conf and in sites- enabled/inner-tunnel change the mysql password in sql.conf put 'copy_request_to_tunnel' in eap.conf in the ttls section, so that I can check for calling_station_Id at The radcheck table database is identical on both machines and contains this: mysql> select * from radcheck; +----+----------+--------------------+----+--------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+--------------+ | 1 | u | Cleartext-Password | := | p | | 7 | o | Calling-Station-Id | := | 00197e18c21b | | 6 | n | Auth-type | := | EAP | | 4 | m | Cleartext-Password | := | p | | 5 | m | Calling-Station-Id | := | 00197eb8c20a | | 8 | o | Cleartext-Password | := | p | | 9 | john | Cleartext-Password | := | password1 | +----+----------+--------------------+----+--------------+ 7 rows in set (0.00 sec) I believe that's all I changed from the default config. Still doesn't work though - fails in exactly the same way. I'm pretty sure the network between the two machines is clear - would it give a comms error if some packets were getting truncated if there were, eg a MTU issue? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html