If you have followed the steps for configuring EAP and are encountering problems, there are only a few things that go wrong. This article goes through the most common issues and how to fix them.
Server unresponsive after sending request
Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying
Cleaning up request ...
After that, nothing more happens. The debug output will likely contain a message about
Diagnosis: The client does not like the server certificate, or the CA which issued that certificate.
Solution: On a testing system, un-check Validate Server Certificate as noted in the EAP page.
Solution: On a production system, ensure that the client has been configured with the certificates from the proper Certificate Authority and Server certificate, as noted in the EAP page.
Solution: On a production system, ensure that the client has Server certificate has the proper “TLS Web server” OID’s (Object Identifiers). (Yes, EAP needs a “web server” certificate. That decision was made 20 years ago, and can’t be changed now.)
Don’t worry, the FreeRADIUS certificate creation scripts in
/etc/raddb/certs/ create the certificates with the proper information. Unless you already have a certificate management system, these certificate creation scripts should always be used to create RADIUS certificates.
See also KB-814394. Note that we do not necessarily agree with their explanations, but the fix does appear to work.
Server sends Access-Reject
Problem: The server sends an
Diagnosis: The password entered on the client does not match the “known good” password that the server has.
Solution: Double-check that the passwords are the same. Use the simplest possible configuration to do this.
Problem: The Windows client still won’t connect.
Diagnosis: If none of the above fixes work, and you still see the
Access-Challenge sent… and then nothing, the problem is some kind of Windows magic.
Solution: Enable EAPHost Tracing.
To enable tracing, run the following commands from a privileged command prompt (i.e. as Administrator):
netsh wlan set tra yes netsh ras set tr * en
After the problem has been reproduces (using one login attempt), tracing can be disabled by:
netsh ras set tr * dis netsh wlan set tra no
The output files (
*.etl) will be in the
%2Ewindir%2E\tracing\wireless\ directory, usually in various subdirectories. The
.etl files can be converted to
.txt files via the following command:
The final files can put put on a web page, and questions posted to the freeradius-users list.
Need more help?
Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.