I think you should post all the log , maybe somebody will find the reason. -----邮件原件----- 发件人: freeradius-users-bounces+guanxu=aotuis....@lists.freeradius.org [mailto:freeradius-users-bounces+guanxu=aotuis....@lists.freeradius.org] 代 表 Benjamin Malynovytch 发送时间: 2012年6月21日 23:26 收件人: freeradius-users@lists.freeradius.org 主题: EAP-TLS used to be working, replaced Wifi AP, reimported backed-up config, EAP-TLS not working anymore
Dear list members, Before writing this email, I spent hours in debug and reading ML and howto. The configuration I'm trying to debug was working a couple of weeks ago. The wifi access point became faulty (antenna broken) and was replaced in RMA (Cisco WAP200-EU). Before sending the AP back, I saved the configuration file through the dedicated wizard provided by the web GUI. When the new one arrived, I updated the firmware with the same as the one that used to be in production (I still had the binary file) and reuploaded the configuration file. (Fw rev: 2.0.4.0-ETSI) All the configuration seemed to be restored as expected, as well as the 802.1X parameters (IP / port of FR, shared key, mode ...) IP and port are fine, as well as the shared key that I already tried to change (removing special chars). Mode is set to "WPA2 Enterprise" (encryption to AES) Before I give more details on the configuration, here are some details : - certs are generated using the Makefile provided with Freeradius, with special OIDs (openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf) - I followed the FAQ and the official howtos a couple of times, starting all over without success - FreeRadius v2.1.10 on CentOS 6.2 x86_64 What works : - eapol_test with my personal client cert receives "Access-Accept" - using the AP configuration on a network switch, enabling 802.1X with the same parameters works (even though time between each Access-Challenge is quite long, around 5 secs) What doesn't work : wifi auth keeps exchanging Access-Challenge, ending by "EAP session for state ... did not finish! ... bla bla bla" Tests are made with a MacBook, using Mac OS X Lion. CA and client certs are setup properly and used to be working like a charm before RMA. I also tested a pair of iPhone and a Windows 7 notebook that also used to be working properly. On the Mac Book, I don't need to change any setting in the configuration (certs or params) to use either wifi or ethernet with 802.1X. Ethernet works while Wifi doesn't. I tried to reduce packet fragmentation to 768. Conf used to be working well with default. You will find the full configuration file (the working configuration was reduced to minimal, test ones are based on the default file set provided with FR, giving exactly same behavior) linked at the end of this mail. What I would like at first, is an advice on where to search, as the configuration of FR used to be working well, as well as the client certificates and the client configurations. Thanks in advance for your help. /etc/raddb/radiusd.conf : http://paste.org/50823 /etc/raddb/users : http://paste.org/50822 radiusd -d /etc/raddb -X : http://paste.org/50824 Best regards, -- Benjamin MALYNOVYTCH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html