MacOSX Leopard authentication with Freeradius
Hi, I'm using freeRadius 2.0.3 on my WLAN. I have WindowsXP, WindowsVista and Apple (OSX) clients. Windows clients authenticate well with freeRadius but I have problems with OSX Leopard. I can't figure out where the problem originates from. I'm using MySQL, Cleartext-Passwords, PEAP auth, WPA-Enterprise, AES. The error that pops up while authenticating OSX is the following (see below for extended logs): Tue Jun 17 20:02:53 2008 : Error: TLS Alert read:warning:close notify Tue Jun 17 20:02:53 2008 : Auth: Login incorrect: [userX] (from client NAS1-WiFi port 8 cli 001c34c14d76) Does anybody have experience with OSX clients and freeRadius? Does anybody have a radiusd and eap configuration file which is known to work with OSX Leopard and could you post it to me? Ofcourse I realise that the problem could be with the AP (WAP54G) or the clients itself. I've done many hours of testing/reading though but can't figure out what's causing it. Ok, thanks for all your help! gr, Jelle Logs of "radiusd -X": -> As you can see I use a littlebit of a hacked version of the SQL implementation to use another MySQL table (integration with Lan Management System), but that shouldn't matter. As I said, other clients authenticate without problems. User-Name = "userX" NAS-IP-Address = 172.16.27.18 Called-Station-Id = "001a70abad32" Calling-Station-Id = "001b63c13f76" NAS-Identifier = "001a70abad32" NAS-Port = 8 Framed-MTU = 1400 State = 0xeb256c65e8d575619976542f479f49d4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02f0002f1980000000251503010020c5ac7365546396895a7fb74e2ab11d3ec7a8f2de0a7c761fda82cbd9f1a99de2 Message-Authenticator = 0x2f90d0e5a8325a3bf379f1243dda8195 +- entering group authorize ++[preprocess] returns ok expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.27.18/auth-detail-20080617 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.27.18/auth-detail-20080617 expand: %t -> Tue Jun 17 20:17:07 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 240 length 47 rlm_eap: Continuing tunnel setup. ++[eap] returns ok expand: %{User-Name} -> userX rlm_sql (sql): sql_set_user escaped user --> 'userX' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id expand: SELECT 'dynamic' as groupname FROM customers WHERE name = '%{SQL-User-Name}' ORDER BY id -> SELECT 'dynamic' as groupname FROM customers WHERE name = 'userX' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 37 rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], warning close_notify TLS Alert read:warning:close notify SSL Connection Established rlm_eap_tls: Application Data rlm_eap_peap: Tunneled data is invalid. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [userX/<via Auth-Type = EAP>] (from client NAS1-WiFi port 8 cli 001b63c13f76) Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 EAP-Message = 0x04f00004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 9 ID 0 with timestamp +33
Jelle Langbroek wrote: ... The error that pops up while
authenticating OSX is the following (see below for extended logs):
Tue Jun 17 20:02:53 2008 : Error: TLS Alert read:warning:close notify
The client is telling the server that it's shutting down the TLS connection.
Tue Jun 17 20:02:53 2008 : Auth: Login incorrect: [userX] (from client NAS1-WiFi port 8 cli 001c34c14d76)
Does anybody have experience with OSX clients and freeRadius?
Apple.
Does anybody have a radiusd and eap configuration file which is known to work with OSX Leopard and could you post it to me?
So far as I know, the default configuration should work. My guess is that there's an error in the client configuration somewhere. Search for the TLS alert... message on google, and you'll see similar comments for other software.
Ofcourse I realise that the problem could be with the AP (WAP54G) or the clients itself. I've done many hours of testing/reading though but can't figure out what's causing it.
It's not the AP. Alan DeKok.
Alan DeKok wrote:
Jelle Langbroek wrote: ... The error that pops up while
authenticating OSX is the following (see below for extended logs):
Tue Jun 17 20:02:53 2008 : Error: TLS Alert read:warning:close notify
The client is telling the server that it's shutting down the TLS connection.
Tue Jun 17 20:02:53 2008 : Auth: Login incorrect: [userX] (from client NAS1-WiFi port 8 cli 001c34c14d76)
Does anybody have experience with OSX clients and freeRadius?
Apple.
Me, they work fine. We have several hundred of them authenticating on a daily basis. You using 10.5.3 ?
Does anybody have a radiusd and eap configuration file which is known to work with OSX Leopard and could you post it to me?
The standard one....
So far as I know, the default configuration should work. My guess is that there's an error in the client configuration somewhere. Search for the TLS alert... message on google, and you'll see similar comments for other software.
Ofcourse I realise that the problem could be with the AP (WAP54G) or the clients itself. I've done many hours of testing/reading though but can't figure out what's causing it.
It's not the AP.
Indeed.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Jelle Langbroek