Hi, > No, the machines are indetical, only changed IP, hostname and certificates. > No updates or something.
Okay... > I put the debug output in appendix. > Sorry i had to remove passwords and IPs because of security reasons, i > think you will understand ;-) That part of mangling is okay :-) >> If you positively want to rule out that the certificate change was the >> problem, you could, if your CA's policy allows, install the old server's >> certificate on the new instance. For IEEE 802.1X, there is no >> requirement that DNS names and CN/subjectAltNames match. > This was the first thing i tried... Good! Looking at the output, things become clearer. The "conversation" ends when the server tries to send the first Access-Challenge packet to the client. It seems like that packet never gets there - and so the client retransmits the same Request over and over again. The server then repeatedly tries to re-send its reply, but again, it never seems to get there. Make sure that the changed IP address doesn't lead to some firewall (host FW? net FW? Cisco Controller's ACLs?) eats the responses. At least it is now apparent that it's not a certificate issue - the EAP conversation doesn't even get far enough to send certificate data at all. In any case, I don't think the FreeRADIUS server process is to be blamed - it sends a well-formed response to a reasonable request. Something's wrong between the server OS and the supplicant. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html