Hello, sometimes I get the error
WARNING: !! EAP session for state 0xABCDEFGHIJKLMNOP did not finish! in my log files / debug output. Before anybody says have a look at http://deployingradius.com/documents/configuration/eap-problems.html that will help, please read on, because I already have done that and I believe the problem is a little bit more tricky. I support PEAP+MsCHAPv2 only and 90% of time it just works. I am pretty sure that the certificate is all right. If anybody wants to check it, one can find it here https://freeradius:eaper...@www.stud.uni-karlsruhe.de/~uzbii/hekauth-certs.pem The certificate file includes all intermediate issuers and the trusted CA. The CA is Germany's biggest telco, so most OSes ship with that by default. The certificate also includes the X509v3 Extended Key Usage TLS Web Client and Authentication and TLS Web Server Authentication in order to satisfy Windows clients. My radius config looks like that: certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/hekauth-key.pem certificate_file = ${certdir}/hekauth-certs.pem # CA_file = CA_path = ${certdir}/empty-by-purpose/ If a new client connects for the very first time, most OSes automatically detect the correct authentication scheme, ask for username and password, present the certificate for confirmation and it works out of the box. (No errors on neither client nor server side.) Randomly, I get this error message although the respective client normally works. In that case the client just restarts the authentication and then succeeds on the second trial. Hence the only difference the user might notice is an authentication that might take some milliseconds longer. During the last four days there have been 1278 such errors, 2519 session, 9651 successful authentication attempts, i.e. each session triggered approximately 3.8 re-authentications, 93 different clients and at least 6 different OSes. I cannot find any pattern, so I do not believe it to be a client side issue. Of course, one can argue to ignore the warning as it works most of the time, but I do not like indeterministically behaving IT systems, hence it preys on my mind. Has anybody an idea what the reason might be? If anybody wants to see a full debug output or a tcpdump, I can provide you with plenty of that. But I could not find anything. Yours, Matthias ---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
