Mac PEAP authentication with FreeRADIUS Pre2.0
Michael Griego
mgriego at utdallas.edu
Fri Feb 2 01:00:26 CET 2007
Yes, it looks like your Mac may not like the MSCHAPv2 response for
some reason. On your Mac (as root), create the directory /var/log/
eapolclient, then retry your authentication. The EAP client is OS X
should write out debugging information for the EAP session into that
directory and should give you a better idea of why its halting.
--Mike
On Feb 1, 2007, at 3:21 PM, King, Michael wrote:
>> -----Original Message-----
>>
>> When I try a Mac (PowerMac 10.4.8, but have tried also on 10.3.x), it
>> seems to not work. The Mac throws an error "802.1x Authentication
>> has
>> failed."
>
> After more testing, and staring at the debug's, it seems this is where
> the break-down is, the MAC isn't answering the tunneled-Access
> Challenge. Least, this is what I'm thinking. (This is a different
> debug)
>
> modcall: entering group authenticate for request 23
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 23
> rlm_mschap: No Cleartext-Password configured. Cannot create
> LM-Password.
> rlm_mschap: No Cleartext-Password configured. Cannot create
> NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for mking with NT-Password
> radius_xlat: Running registered xlat function of module mschap for
> string 'User-Name'
> radius_xlat: '--username=mking'
> radius_xlat: Running registered xlat function of module mschap for
> string 'Challenge'
> mschap2: 94
> radius_xlat: '--challenge=4ebfbb2c2373c4c9'
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Response'
> radius_xlat:
> '--nt-response=a53b88d2b14aead7f697498aa066c2d02e79c3d0a6e84427'
> Exec-Program output: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B
> Exec-Program-Wait: plaintext: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B
> Exec-Program: returned: 0
> rlm_mschap: adding MS-CHAPv2 MPPE keys
> modcall[authenticate]: module "mschap" returns ok for request 23
> modcall: group MS-CHAP returns ok for request 23
> MSCHAP Success
> modcall[authenticate]: module "eap" returns handled for request 23
> modcall: group authenticate returns handled for request 23
> PEAP: Got tunneled reply RADIUS code 11
> MS-CHAP2-Success =
> 0x0d533d65333662373338316262383939643261306661336565356463333831303631
> 61
> 6663303239326336
> EAP-Message =
> 0x010e00331a030d002e533d6533366237333831626238393964326130666133656535
> 64
> 63333831303631616663303239326336
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfd5c09024628badca09e5ae9eec682e7
> PEAP: Processing from tunneled session code 0x81c1788 11
> MS-CHAP2-Success =
> 0x0d533d65333662373338316262383939643261306661336565356463333831303631
> 61
> 6663303239326336
> EAP-Message =
> 0x010e00331a030d002e533d6533366237333831626238393964326130666133656535
> 64
> 63333831303631616663303239326336
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfd5c09024628badca09e5ae9eec682e7
> PEAP: Got tunneled Access-Challenge
> modcall[authenticate]: module "eap" returns handled for request 23
> modcall: group authenticate returns handled for request 23
> Sending Access-Challenge of id 4 to 10.0.1.22 port 32769
> EAP-Message =
> 0x010e005b1900170301005075b366b0bc3665ce9cc4c3bb5d4907020fce14dcf06c5f
> fb
> cdc725c126803bd0de38918995021346758fc00ed823cc7b13be5d69ed780a80ac04bf
> cb
> 9cb85dee2ab382e8b88b3a7b7cdccfc227583867
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf3f735fa7f444b2ef47757092fcbef29
> Finished request 23
> Going to the next request
> Waking up in 5 seconds...
> --- Walking the entire request list ---
> Cleaning up request 16 ID 253 with timestamp 45c257be
> Cleaning up request 20 ID 1 with timestamp 45c257be
> Cleaning up request 22 ID 3 with timestamp 45c257be
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
More information about the Freeradius-Users
mailing list