Hi,
As far as I understand MacOS tries to use MS-CHAPv2 and this does not seem to work.
IIRC, Apple changed the TTLS default inner method away from PAP to EAP-MSCHAPv2 (not just MSCHAPv2) a few releases back. If you want an inner of (non-EAP)PAP then you have to tell the Mac and iOS devices with a .mobileconfig configuration file. Or you re-configure your FreeRADIUS to support MSCHAPv2 instead, if you have NT-Hashes or cleartext of the passwords of your users. If you want to generate .mobileconfig files and also config files for lots of other platforms all in one go, try https://802.1x-config.org Greetings, Stefan Winter
It seems my perl auth script does not get a password through while using mschapv2.
Am 2016-10-17 17:29, schrieb A.L.M.Buxey@lboro.ac.uk:
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 ++[auth_log] = ok [suffix] Looking up realm "ash-berlin.eu" for User-Name = "anonymous@ash-berlin.eu" [suffix] No such realm "ash-berlin.eu"
so, a realm you are trying to auth isnt defined in the proxy.conf as one of your own eg
realm ash-berlin.eu { }
Did that :)
[files] users: Matched entry DEFAULT at line 1 what is on line 1 of your users file?(I shudder to think....)
Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user yes....see that warning. you are forcing rhe server to do something - eg Auth-Type is being manually set. you shouldnt need to do that...
I read this in the readme of rlm_perl which I use - http://wiki.freeradius.org/modules/Rlm_perl [1] So I set
DEFAULT Auth-Type := Perl Fall-Through = yes
in the users (ok now it is mods-config/files/authorize) file. The rest is commented out.
If I take this entry out login via Windows fails, too.
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) -> FALSE as you can see, this policy you have isnt matching. if you have the relam defined, you can just check for %{Realm} being populated...nice and easy.
Which would be the appropriate file to do this?
now, the debug never shows an access-accept or reject.....the server never ends up in an inner-tunnel.
what is the PERL script for? does it need to be called for an EAP auth in the outer phase? you need to streamline the policy so only calls to relevant modules are called in the outer phase and only the bits you need (once EAP tunnel has been configured, client happy with cert from server etc) are called....
The perl script is for a custom type of authentication only. I have difficulties understanding what inner and outer identity are. Do you have a good hint on what to read to fully understand this?
With kind regards, Marlen Caemmerer
-- ************************************************ Alice Salomon Hochschule Computerzentrum Marlen Caemmerer Alice-Salomon-Platz 5 12627 Berlin
Email: caemmerer@ash-berlin.eu ************************************************
Links: ------ [1] http://wiki.freeradius.org/modules/Rlm_perl
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66