repeated re-auth attempts from OSX

Mon Aug 8 13:02:04 CEST 2016

Hi,

I have configured a freeradius (v2.2.0) server under Ubuntu server 16.04.1 which is connected to the domain and can successfully authenticate users in AD as checked with radtest, wbinfo and ntlm_auth tests along with 2 windows workstations using difference versions of OS.
I’m using PEAP with certificate authentication added through group policy and all working fine with Windows.

I have created an 802.1x profile using OSX Server and installed the profile onto a macbook pro using El Capitan.
The profile installs the trusted root CA and the certificate of the Ubuntu freeradius server.
All seems well and while watching the output of ‘freeradius –X’ I see the output ‘Access-Accept’ when testing.

However, on first connection from the macbook, it seems to request re-authentication a random number of times (10 or so?), each time receiving an ‘Access-Accept’ message.
It will then become stable and settle and remain connected after these initial attempts.

I guess there may be an issue with the supplicant on OSX but wondered if this was a known issue (couldn’t find anything on searching though), or whether there is something specific I am missing in the freeradius configuration (doubt it since the client is sending a request which works, followed by another request...).
I have tried different settings in the profile but to be honest it is very limited and is straightforward.
Please note, I am not asking for help with OSX/Apple/Profile Manager since this seems to be configured and does work, but is this behaviour recognisable to anyone?

Any help appreciated.

------------------------------

# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 181 to 192.168.200.171 port 58503
            MS-MPPE-Recv-Key = 0xdc8844116c10c664e023ae931983a5a6dbdf7e88627fb494b32b1b755d005932
            MS-MPPE-Send-Key = 0xd0baa5f2a44c337197bb77c5eb8f89d3ae6b6e163e95c07edf1a801826985d19
            EAP-Message = 0x03400004
            Message-Authenticator = 0x00000000000000000000000000000000
            User-Name = "xxxxxxxxxxxxx"
Finished request 98.
Going to the next request
Waking up in 4.7 seconds.
------------------------------

Dave Hanlon
Solutions Architect
Nomical Networks
0344 3843 000
www.nomical.com
Moss Bridge Road, Rochdale, Lancs OL16 5LX
This email and any attachments are intended for the named recipient only. Its unauthorised use, distribution, disclosure, storage or copying is not permitted. If you have received it in error, please destroy all copies and notify the sender. In messages of a non-business nature, the views and opinions expressed are the author's own and do not necessarily reflect those of the organisation from which it is sent. All emails may be subject to monitoring.

Nomical Ltd - Registered in England No: 06035958, VAT Reg No: 900363074, Registered Office: 1 Norman Villas, Barrack Lane, Ringwood, Hampshire, BH24 3ES