Hi! I've 802.1x (EAP-TLS) on a wired network activated, and it works 99% of the time ... just some authentications fail, but some minutes later the same client authenticates without a problem. As it happens only once every few days and always with a new client I cannot put a sniffer between the PC and switch, as I don't know which client is the next. But I enabled the debug logging on the freeradius server. The Clients are Windows 7 PCs and I'm running freeradius2-2.1.12-3.el5 on RHEL5.
My first question is, how can I decode a EAP-Message from the debug log to check if the request is itself ok. Here is first packet from this client in some time, and it already generates the error. But the same client worked before and after it for days without a problem: rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151, length=244 User-Name = "host/xxxxxxxxxxxxx.tirol.local" EAP-Message = 0x02ff00690d800000005f160301005a01000056030150a6115ee4ca2d9456a7fa7edad2fb1c7b221fc747eb78eb4d789ff077c48ef8000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 NAS-IP-Address = 10.xxx.xxx.4 Service-Type = Login-User Calling-Station-Id = "xx-xx-xx-xx-xx-xx" NAS-Port-Id = "2:3" NAS-Port = 2003 NAS-Port-Type = Ethernet State = 0x8df2b5f98df2b8eb6e43e372671f4335 Message-Authenticator = 0x6822006f5e7cf03d00a08b04869d19d8 and the relevant other log lines: ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 255 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Invalid means I return a reject ... should I return something else? Is this a client problem or a misconfiguration on my part? Thx for your help! Mit freundlichen Grüßen Robert Penz -------------------------------------------------------------- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355 E-Mail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html