User[client mac address] fails authentication too many times in a row when joining WLAN[opetus-x/opetusx] at AP[<a href="https://192.168.154.12/admin/mon_ap.jsp?n=c4:01:7c:1a:50:60">ap1</a>]. User[client mac address] is temporarily blocked from the system for [30 seconds].<br>
<br>Ok, after doing some searching I found more comprehensive logs on Ruckus which reveal the previous lines when trying to connect to the radius network.<br><br>So, apparently it never actually does connect to it, but since the authentication happens OK on the FreeRadius side, I'm left to believe that it is in fact Ruckus who isn't happy with me trying to join the network.<br>
<br><br><div class="gmail_quote">2012/12/3 Taneli Virtanen <span dir="ltr"><<a href="mailto:virtanentaneli@gmail.com" target="_blank">virtanentaneli@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Well, I'm home right now, but tomorrow when I get back to work I'll see what I can do. Client is a Windows 7, but I can also test with XP and Win 8 clients if necessary.<div class="HOEnZb"><div class="h5"><br><br>
<div class="gmail_quote">2012/12/3 Primož Marinšek <span dir="ltr"><<a href="mailto:pmtelos@gmail.com" target="_blank">pmtelos@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I know a little about Ruckus. Can you SSH to the ZD and input the following<br>
<br>
enable<br>
show aaa<br>
show wlan<br>
<br>
and send me the output direclty. Maybe there is something strange there.<br>
<br>
Also tell me which FW you are using and which OS the client is using<br>
(tell me which SP if Windows)<br>
<br>
Regards<br>
<div><div><br>
On 3 December 2012 12:30, Arran Cudbard-Bell <<a href="mailto:a.cudbardb@freeradius.org" target="_blank">a.cudbardb@freeradius.org</a>> wrote:<br>
>><br>
>> ++[pap] returns noop<br>
>> Found Auth-Type = Accept<br>
>> Auth-Type = Accept, accepting the user<br>
>><br>
>> # Executing section post-auth from file /etc/freeradius/sites-enabled/default<br>
>> +- entering group post-auth {...}<br>
>> ++[exec] returns noop<br>
>> Sending Access-Accept of id 9 to 192.168.154.12 port 1065<br>
>> Finished request 0.<br>
>> Going to the next request<br>
>> Waking up in 4.9 seconds.<br>
>> Cleaning up request 0 ID 9 with timestamp +7<br>
>> Ready to process requests.<br>
>><br>
>><br>
>> I followed the plain mac auth guide to get this far, and the system sort of works, but not quite. So the configs must be out of whack somehow, but since radius doesn't give any debug info when I get booted out of the network I'm at loss here. Any help?<br>
><br>
> If you're not seeing any information in the FreeRADIUS debug, then the Ruckus controller isn't sending anything. If you enable RADIUS accounting on the Ruckus you *may* get an Accounting-Request with the Acct-Terminate-Cause, which may give you a clue as to what's happening.<br>
><br>
> First though I would enable debugging logs on the controller to see if it's complaining about the Access-Accept coming back, it may be missing some attributes that the Ruckus controller needs.<br>
><br>
> I'd also verify the Access-Accept is actually reaching the controller (maybe dodgy routing).<br>
><br>
> It may also be that the Ruckus requires a Message-Authenticator in the Access-Accept, in which case inserting:<br>
><br>
> update reply {<br>
> Message-Authenticator = 0x00<br>
> }<br>
><br>
> Should trigger its generation.<br>
><br>
> I'd also try:<br>
><br>
> update reply {<br>
> Service-Type = Framed-User<br>
> }<br>
><br>
> (some NAS require a service type).<br>
><br>
> The delay suggests that the Ruckus may be discarding the responses from the RADIUS server, or never actually received the response. Do you see the request sent multiple times?<br>
><br>
> -Arran<br>
> -<br>
> List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
<br>
<br>
</div></div><span><font color="#888888">--<br>
Primož Marinšek<br>
</font></span><div><div>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></div></div></blockquote></div><br>
</div></div></blockquote></div><br>