On 27.8.2015 9.32, David Zych wrote: > We have a Windows 7 client that in certain locations around campus > periodically gets booted off wireless and prompts the user to > re-enter his credentials.
Thanks for the information. A couple of questions and comments related to this: first, is this just Windows 7 or is it possible/hard to say that there might be problems with other clients too? It might be a good idea to check the settings on the host that has problems and compare them to a host that works. The problem might be something that is caused by the settings. > There are plenty of other clients in our environment that do _not_ > have this problem (i.e. are able to succesfully resume a PEAP session > and get Access-Accept); nonetheless, because it's having a negative > impact on some clients I've had to disable EAPTLS_SessionResumption. Disabling EAPTLS_SessionResumption is safe to do. In fact, it might be a good default option too when one starts to build the authentication configuration. Having it off can increase authentication server and backend load, but I see no other problem with turning it off. > I'm interested to know if anybody else has observed this, or has > suggestions on how to get more information about what exactly is > going wrong (it's clear PEAP doesn't like the supplicant's last > RADIUS request / EAP Response, but it's not clear exactly why). There was a report last month about similar thing where the fix was the same as you did did: disable EAPTLS_SessionResumption. Now that we have two cases, it's starting to look like a non-isolated problem. What comes to allowing inner authentication after session resumption, I think the idea with resumption is that the inner authentication can be skipped completely. The log messages indicate it's the client that does not want to continue but returns TLS tunnelled failure indication back to Radiator. For this reason it would be a good idea to compare the working and non-working settings. I'll see what we can do to replicate this too, but if you already have suitable test hosts, please let us know if you have time to look at them in more detail. Also, thanks for the idea of debugging EAP contexts. A hook with a some code that previously collects information about the request sounds like a good idea. I've made a ticket about this for us to look at too. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator