iOS mysterious issues on Freeradius 3.0.14
Hello everyone, I've read a lot messages in Freeradius Forum and I continued misunderstand why iOS devices (iPhone, iPad) doesn't connect in my WPA-Enterprise wifi network. I've installed and configured a freeradius server, version 3.0.14, over openssl 1.1.0e (both have installed from sources on Debian 8). I've tested connect Android devices to my wifi network and everytime they can connect to the network, but iOS devices have mysterious issues. When I try connect iOS device to my wifi in first time, they can connect perfectly. Though, if this same iOS device lost connection (because it's out of range AP signal or air plane mode turn on by the user for 30 minutes or hours) and try connect again the device doesn't connect. When I've saw the debug mode, I've noticed that EAP-PEAP tunnel athentication was successful and server sent Access-Challenge, but device doesn't answer this challenge. I don't understand why the android devices doesn't this issues. Glad, Igor Sousa Wed Mar 22 07:33:50 2017 : Debug: Waking up in 1.1 seconds. Wed Mar 22 07:33:50 2017 : Debug: (17) Received Access-Request Id 8 from 10.41.17.64:1042 to 10.41.110.86:1812 length 255 Wed Mar 22 07:33:50 2017 : Debug: (17) Message-Authenticator = 0x50eb8b4ea5bffe022eda2db1d905b40e Wed Mar 22 07:33:50 2017 : Debug: (17) Service-Type = Framed-User Wed Mar 22 07:33:50 2017 : Debug: (17) User-Name = "userTest" Wed Mar 22 07:33:50 2017 : Debug: (17) Framed-MTU = 1488 Wed Mar 22 07:33:50 2017 : Debug: (17) State = 0x541acf3e5312d64e560d7f91490adef3 Wed Mar 22 07:33:50 2017 : Debug: (17) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste" Wed Mar 22 07:33:50 2017 : Debug: (17) Calling-Station-Id = "4C-57-CA-E2-E9-8D" Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-Identifier = "3Com Access Point 7760" Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-Port-Type = Wireless-802.11 Wed Mar 22 07:33:50 2017 : Debug: (17) Connect-Info = "CONNECT 54Mbps 802.11g" Wed Mar 22 07:33:50 2017 : Debug: (17) EAP-Message = 0x0208002b19001703010020b525f058fa80f3f09e827ff6899bf36e4cab 3f5023d51a927e3e3accc04d61bd Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-IP-Address = 10.41.17.64 Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-Port = 1 Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-Port-Id = "STA port # 1" Wed Mar 22 07:33:50 2017 : Debug: (17) session-state: No cached attributes Wed Mar 22 07:33:50 2017 : Debug: (17) # Executing section authorize from file /etc/raddb/sites-enabled/default Wed Mar 22 07:33:50 2017 : Debug: (17) authorize { Wed Mar 22 07:33:50 2017 : Debug: (17) modsingle[authorize]: calling preprocess (rlm_preprocess) Wed Mar 22 07:33:50 2017 : Debug: (17) modsingle[authorize]: returned from preprocess (rlm_preprocess) Wed Mar 22 07:33:50 2017 : Debug: (17) [preprocess] = ok Wed Mar 22 07:33:50 2017 : Debug: (17) modsingle[authorize]: calling eap (rlm_eap) Wed Mar 22 07:33:50 2017 : Debug: (17) eap: Peer sent EAP Response (code 2) ID 8 length 43 Wed Mar 22 07:33:50 2017 : Debug: (17) eap: Continuing tunnel setup Wed Mar 22 07:33:50 2017 : Debug: (17) modsingle[authorize]: returned from eap (rlm_eap) Wed Mar 22 07:33:50 2017 : Debug: (17) [eap] = ok Wed Mar 22 07:33:50 2017 : Debug: (17) } # authorize = ok Wed Mar 22 07:33:50 2017 : Debug: (17) Found Auth-Type = eap Wed Mar 22 07:33:50 2017 : Debug: (17) # Executing group from file /etc/raddb/sites-enabled/default Wed Mar 22 07:33:50 2017 : Debug: (17) authenticate { Wed Mar 22 07:33:50 2017 : Debug: (17) modsingle[authenticate]: calling eap (rlm_eap) Wed Mar 22 07:33:50 2017 : Debug: (17) eap: Expiring EAP session with state 0xb44ea59dbc47bc85 Wed Mar 22 07:33:50 2017 : Debug: (17) eap: Finished EAP session with state 0x541acf3e5312d64e Wed Mar 22 07:33:50 2017 : Debug: (17) eap: Previous EAP request found for state 0x541acf3e5312d64e, released from the list Wed Mar 22 07:33:50 2017 : Debug: (17) eap: Peer sent packet with method EAP PEAP (25) Wed Mar 22 07:33:50 2017 : Debug: (17) eap: Calling submodule eap_peap to process data Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Continuing EAP-TLS Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Peer sent flags --- Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: [eaptls verify] = ok Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Done initial handshake Wed Mar 22 07:33:50 2017 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: [eaptls process] = ok Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Session established. Decoding tunneled attributes Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: PEAP state phase2 Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: EAP method MSCHAPv2 (26) Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Got tunneled request Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: EAP-Message = 0x020800061a03 Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Setting User-Name to userTest Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Sending tunneled request to inner-tunnel Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: EAP-Message = 0x020800061a03 Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: User-Name = "userTest" Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: State = 0x1c722cc11d7a36d74beb044945cb21bf Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Service-Type = Framed-User Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Framed-MTU = 1488 Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste" Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D" Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: NAS-Identifier = "3Com Access Point 7760" Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: NAS-Port-Type = Wireless-802.11 Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g" Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: NAS-IP-Address = 10.41.17.64 Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: NAS-Port = 1 Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: NAS-Port-Id = "STA port # 1" Wed Mar 22 07:33:50 2017 : Debug: (17) eap_peap: Event-Timestamp = "Mar 22 2017 07:33:50 -03" Wed Mar 22 07:33:50 2017 : Debug: (17) Virtual server inner-tunnel received request Wed Mar 22 07:33:50 2017 : Debug: (17) EAP-Message = 0x020800061a03 Wed Mar 22 07:33:50 2017 : Debug: (17) FreeRADIUS-Proxied-To = 127.0.0.1 Wed Mar 22 07:33:50 2017 : Debug: (17) User-Name = "userTest" Wed Mar 22 07:33:50 2017 : Debug: (17) State = 0x1c722cc11d7a36d74beb044945cb21bf Wed Mar 22 07:33:50 2017 : Debug: (17) Service-Type = Framed-User Wed Mar 22 07:33:50 2017 : Debug: (17) Framed-MTU = 1488 Wed Mar 22 07:33:50 2017 : Debug: (17) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste" Wed Mar 22 07:33:50 2017 : Debug: (17) Calling-Station-Id = "4C-57-CA-E2-E9-8D" Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-Identifier = "3Com Access Point 7760" Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-Port-Type = Wireless-802.11 Wed Mar 22 07:33:50 2017 : Debug: (17) Connect-Info = "CONNECT 54Mbps 802.11g" Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-IP-Address = 10.41.17.64 Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-Port = 1 Wed Mar 22 07:33:50 2017 : Debug: (17) NAS-Port-Id = "STA port # 1" Wed Mar 22 07:33:50 2017 : Debug: (17) Event-Timestamp = "Mar 22 2017 07:33:50 -03" Wed Mar 22 07:33:50 2017 : WARNING: (17) Outer and inner identities are the same. User privacy is compromised. Wed Mar 22 07:33:50 2017 : Debug: (17) server inner-tunnel { Wed Mar 22 07:33:50 2017 : Debug: (17) session-state: No cached attributes Wed Mar 22 07:33:50 2017 : Debug: (17) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel Wed Mar 22 07:33:50 2017 : Debug: (17) authorize { Wed Mar 22 07:33:50 2017 : Debug: (17) modsingle[authorize]: calling eap (rlm_eap) Wed Mar 22 07:33:50 2017 : Debug: (17) eap: Peer sent EAP Response (code 2) ID 8 length 6 Wed Mar 22 07:33:50 2017 : Debug: (17) eap: No EAP Start, assuming it's an on-going EAP conversation Wed Mar 22 07:33:50 2017 : Debug: (17) modsingle[authorize]: returned from eap (rlm_eap) Wed Mar 22 07:33:50 2017 : Debug: (17) [eap] = updated Wed Mar 22 07:33:50 2017 : Debug: (17) modsingle[authorize]: calling ldap (rlm_ldap) Wed Mar 22 07:33:50 2017 : Debug: (17) ldap: EXPAND TMPL LITERAL Wed Mar 22 07:33:50 2017 : Debug: rlm_ldap (ldap): Reserved connection (3) Wed Mar 22 07:33:50 2017 : Debug: (17) ldap: EXPAND TMPL XLAT Wed Mar 22 07:33:50 2017 : Debug: (uid=%{%{Stripped-User-Name}:- %{User-Name}}) Wed Mar 22 07:33:50 2017 : Debug: Parsed xlat tree: Wed Mar 22 07:33:50 2017 : Debug: literal --> (uid= Wed Mar 22 07:33:50 2017 : Debug: XLAT-IF { Wed Mar 22 07:33:50 2017 : Debug: attribute --> Stripped-User-Name Wed Mar 22 07:33:50 2017 : Debug: } Wed Mar 22 07:33:50 2017 : Debug: XLAT-ELSE { Wed Mar 22 07:33:50 2017 : Debug: attribute --> User-Name Wed Mar 22 07:33:50 2017 : Debug: } Wed Mar 22 07:33:50 2017 : Debug: literal --> ) Wed Mar 22 07:33:50 2017 : Debug: (17) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Wed Mar 22 07:33:50 2017 : Debug: (17) ldap: --> (uid=userTest) Wed Mar 22 07:33:50 2017 : Debug: (17) ldap: EXPAND TMPL LITERAL Wed Mar 22 07:33:50 2017 : Debug: (17) ldap: Performing search in "ou=people,dc=test,dc=br" with filter "(uid=userTest)", scope "sub" Wed Mar 22 07:33:50 2017 : Debug: (17) ldap: Waiting for search result... Wed Mar 22 07:33:53 2017 : Debug: (17) ldap: User object found at DN "uid=userTest,ou=people,dc=test,dc=br" Wed Mar 22 07:33:53 2017 : Debug: (17) ldap: Processing user attributes Wed Mar 22 07:33:53 2017 : Debug: (17) ldap: control:NT-Password := 0x3145333941394139324632423038413045363942344435414441374535333332 Wed Mar 22 07:33:53 2017 : Debug: rlm_ldap (ldap): Released connection (3) Wed Mar 22 07:33:53 2017 : Info: Need 2 more connections to reach 10 spares Wed Mar 22 07:33:53 2017 : Info: rlm_ldap (ldap): Opening additional connection (8), 1 of 24 pending slots used Wed Mar 22 07:33:53 2017 : Debug: rlm_ldap (ldap): Connecting to ldap:// 10.0.0.2:389 Wed Mar 22 07:33:53 2017 : Debug: rlm_ldap (ldap): New libldap handle 0x1d2afa0 Wed Mar 22 07:33:53 2017 : Debug: rlm_ldap (ldap): Waiting for bind result... Wed Mar 22 07:33:53 2017 : Debug: rlm_ldap (ldap): Bind successful Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authorize]: returned from ldap (rlm_ldap) Wed Mar 22 07:33:53 2017 : Debug: (17) [ldap] = updated Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authorize]: calling expiration (rlm_expiration) Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authorize]: returned from expiration (rlm_expiration) Wed Mar 22 07:33:53 2017 : Debug: (17) [expiration] = noop Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authorize]: calling logintime (rlm_logintime) Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authorize]: returned from logintime (rlm_logintime) Wed Mar 22 07:33:53 2017 : Debug: (17) [logintime] = noop Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authorize]: calling pap (rlm_pap) Wed Mar 22 07:33:53 2017 : Debug: (17) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes Wed Mar 22 07:33:53 2017 : WARNING: (17) pap: Auth-Type already set. Not setting to PAP Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authorize]: returned from pap (rlm_pap) Wed Mar 22 07:33:53 2017 : Debug: (17) [pap] = noop Wed Mar 22 07:33:53 2017 : Debug: (17) } # authorize = updated Wed Mar 22 07:33:53 2017 : Debug: (17) Found Auth-Type = eap Wed Mar 22 07:33:53 2017 : Debug: (17) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel Wed Mar 22 07:33:53 2017 : Debug: (17) authenticate { Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authenticate]: calling eap (rlm_eap) Wed Mar 22 07:33:53 2017 : Debug: (17) eap: Expiring EAP session with state 0xb44ea59dbc47bc85 Wed Mar 22 07:33:53 2017 : Debug: (17) eap: Finished EAP session with state 0x1c722cc11d7a36d7 Wed Mar 22 07:33:53 2017 : Debug: (17) eap: Previous EAP request found for state 0x1c722cc11d7a36d7, released from the list Wed Mar 22 07:33:53 2017 : Debug: (17) eap: Peer sent packet with method EAP MSCHAPv2 (26) Wed Mar 22 07:33:53 2017 : Debug: (17) eap: Calling submodule eap_mschapv2 to process data Wed Mar 22 07:33:53 2017 : Debug: (17) eap: Sending EAP Success (code 3) ID 8 length 4 Wed Mar 22 07:33:53 2017 : Debug: (17) eap: Freeing handler Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authenticate]: returned from eap (rlm_eap) Wed Mar 22 07:33:53 2017 : Debug: (17) [eap] = ok Wed Mar 22 07:33:53 2017 : Debug: (17) } # authenticate = ok Wed Mar 22 07:33:53 2017 : Debug: (17) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel Wed Mar 22 07:33:53 2017 : Debug: (17) post-auth { ... } # empty sub-section is ignored Wed Mar 22 07:33:53 2017 : Debug: (17) } # server inner-tunnel Wed Mar 22 07:33:53 2017 : Debug: (17) Virtual server sending reply Wed Mar 22 07:33:53 2017 : Debug: (17) MS-MPPE-Encryption-Policy = Encryption-Allowed Wed Mar 22 07:33:53 2017 : Debug: (17) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed Wed Mar 22 07:33:53 2017 : Debug: (17) MS-MPPE-Send-Key = 0x08c8bbae983e14d7b8a0955f9179ce92 Wed Mar 22 07:33:53 2017 : Debug: (17) MS-MPPE-Recv-Key = 0x3762aac5c66a4ebf4733057f2b634292 Wed Mar 22 07:33:53 2017 : Debug: (17) EAP-Message = 0x03080004 Wed Mar 22 07:33:53 2017 : Debug: (17) Message-Authenticator = 0x00000000000000000000000000000000 Wed Mar 22 07:33:53 2017 : Debug: (17) User-Name = "userTest" Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: Got tunneled reply code 2 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: MS-MPPE-Send-Key = 0x08c8bbae983e14d7b8a0955f9179ce92 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: MS-MPPE-Recv-Key = 0x3762aac5c66a4ebf4733057f2b634292 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: EAP-Message = 0x03080004 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: User-Name = "userTest" Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: Got tunneled reply RADIUS code 2 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: MS-MPPE-Send-Key = 0x08c8bbae983e14d7b8a0955f9179ce92 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: MS-MPPE-Recv-Key = 0x3762aac5c66a4ebf4733057f2b634292 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: EAP-Message = 0x03080004 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: User-Name = "userTest" Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: Tunneled authentication was successful Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: SUCCESS Wed Mar 22 07:33:53 2017 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Wed Mar 22 07:33:53 2017 : Debug: (17) eap_peap: Saving tunneled attributes for later Wed Mar 22 07:33:53 2017 : Debug: (17) eap: Sending EAP Request (code 1) ID 9 length 43 Wed Mar 22 07:33:53 2017 : Debug: (17) eap: EAP session adding &reply:State = 0x541acf3e5c13d64e Wed Mar 22 07:33:53 2017 : Debug: (17) modsingle[authenticate]: returned from eap (rlm_eap) Wed Mar 22 07:33:53 2017 : Debug: (17) [eap] = handled Wed Mar 22 07:33:53 2017 : Debug: (17) } # authenticate = handled Wed Mar 22 07:33:53 2017 : Debug: (17) Using Post-Auth-Type Challenge Wed Mar 22 07:33:53 2017 : Debug: (17) Post-Auth-Type sub-section not found. Ignoring. Wed Mar 22 07:33:53 2017 : Debug: (17) # Executing group from file /etc/raddb/sites-enabled/default Wed Mar 22 07:33:53 2017 : Debug: (17) session-state: Nothing to cache Wed Mar 22 07:33:53 2017 : Debug: (17) Sent Access-Challenge Id 8 from 10.41.110.86:1812 to 10.41.17.64:1042 length 0 Wed Mar 22 07:33:53 2017 : Debug: (17) EAP-Message = 0x0109002b1900170301002040009148da66c66e92399186be36b8b9bfb2 dd86e5e250997e63aa0d31227eff Wed Mar 22 07:33:53 2017 : Debug: (17) Message-Authenticator = 0x00000000000000000000000000000000 Wed Mar 22 07:33:53 2017 : Debug: (17) State = 0x541acf3e5c13d64e560d7f91490adef3 Wed Mar 22 07:33:53 2017 : Debug: (17) Finished request Wed Mar 22 07:33:53 2017 : Debug: (8) Cleaning up request packet ID 8 with timestamp +7 Wed Mar 22 07:33:53 2017 : Debug: (9) Cleaning up request packet ID 0 with timestamp +10 Wed Mar 22 07:33:53 2017 : Debug: (10) Cleaning up request packet ID 1 with timestamp +10 Wed Mar 22 07:33:53 2017 : Debug: (11) Cleaning up request packet ID 2 with timestamp +10 Wed Mar 22 07:33:53 2017 : Debug: (12) Cleaning up request packet ID 3 with timestamp +10 Wed Mar 22 07:33:53 2017 : Debug: (13) Cleaning up request packet ID 4 with timestamp +10 Wed Mar 22 07:33:53 2017 : Debug: (14) Cleaning up request packet ID 5 with timestamp +10 Wed Mar 22 07:33:53 2017 : Debug: (15) Cleaning up request packet ID 6 with timestamp +10 Wed Mar 22 07:33:53 2017 : Debug: (7) Cleaning up request packet ID 7 with timestamp +3 Wed Mar 22 07:33:53 2017 : Debug: Waking up in 4.9 seconds. Wed Mar 22 07:33:58 2017 : Debug: (17) Cleaning up request packet ID 8 with timestamp +14 Wed Mar 22 07:33:58 2017 : Debug: Waking up in 1.8 seconds. Wed Mar 22 07:34:00 2017 : Debug: (16) Cleaning up request packet ID 7 with timestamp +10 Wed Mar 22 07:34:00 2017 : Info: Ready to process requests
On Mar 22, 2017, at 7:39 AM, Igor Sousa <igorvolt@gmail.com> wrote:
I've read a lot messages in Freeradius Forum and I continued misunderstand why iOS devices (iPhone, iPad) doesn't connect in my WPA-Enterprise wifi network. I've installed and configured a freeradius server, version 3.0.14, over openssl 1.1.0e (both have installed from sources on Debian 8). I've tested connect Android devices to my wifi network and everytime they can connect to the network, but iOS devices have mysterious issues.
iOS may be magic... Apple doesn't talk to anyone else, so that doesn't help.
When I try connect iOS device to my wifi in first time, they can connect perfectly. Though, if this same iOS device lost connection (because it's out of range AP signal or air plane mode turn on by the user for 30 minutes or hours) and try connect again the device doesn't connect.
Maybe it's related to session resumption? Have you turned that off?
When I've saw the debug mode, I've noticed that EAP-PEAP tunnel athentication was successful and server sent Access-Challenge, but device doesn't answer this challenge. I don't understand why the android devices doesn't this issues.
No idea. I know that many, many, universities are using FreeRADIUS with iOS, so it *should* work.
Wed Mar 22 07:33:50 2017 : Debug: Waking up in 1.1 seconds. Wed Mar 22 07:33:50 2017 : Debug: (17) Received Access-Request Id 8 from 10.41.17.64:1042 to 10.41.110.86:1812 length 255
PLEASE follow the instructions, and use "radiusd -X". Doing "-Xx" just makes the debug output harder to read. Alan DeKok.
I am having the same problems, I run a tls/id-password 802.1x network at East Stroudsburg University. This is not easy research, since the error messages you receive no one else seems to see. My problem may be that apple devices are no longer accepting self signed certs, but I have also looked at os x upgrades [home brew/openssl problems] for openssl. I am working all of this issue by issue. I am still looking to resolve this, obviously it is not a ³bug² windows 7 and windows 10 is working. My next problem is in finding a working 802.1x supplicant that works for linux [SuSe / redhat-fedora]. It¹s like shoveling snow in a snow storm. You shovel a space clean, and before you can turn around snow has blown, and fallen into the space again. [Sorry, my back is reminding me of last weeks blizzard.] Blessed are the meek, they will in herit the earth. I have been working at this for months, one bug leads to the next. I am looking at a very small inheritance. Radiusd 3.0.11 Openssl 1.0.2-fips I haven¹t even tried my iphone, I am still trying to get os x to work. tob On 3/22/17, 11:37, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
On Mar 22, 2017, at 7:39 AM, Igor Sousa <igorvolt@gmail.com> wrote:
I've read a lot messages in Freeradius Forum and I continued misunderstand why iOS devices (iPhone, iPad) doesn't connect in my WPA-Enterprise wifi network. I've installed and configured a freeradius server, version 3.0.14, over openssl 1.1.0e (both have installed from sources on Debian 8). I've tested connect Android devices to my wifi network and everytime they can connect to the network, but iOS devices have mysterious issues.
iOS may be magic... Apple doesn't talk to anyone else, so that doesn't help.
When I try connect iOS device to my wifi in first time, they can connect perfectly. Though, if this same iOS device lost connection (because it's out of range AP signal or air plane mode turn on by the user for 30 minutes or hours) and try connect again the device doesn't connect.
Maybe it's related to session resumption? Have you turned that off?
When I've saw the debug mode, I've noticed that EAP-PEAP tunnel athentication was successful and server sent Access-Challenge, but device doesn't answer this challenge. I don't understand why the android devices doesn't this issues.
No idea. I know that many, many, universities are using FreeRADIUS with iOS, so it *should* work.
Wed Mar 22 07:33:50 2017 : Debug: Waking up in 1.1 seconds. Wed Mar 22 07:33:50 2017 : Debug: (17) Received Access-Request Id 8 from 10.41.17.64:1042 to 10.41.110.86:1812 length 255
PLEASE follow the instructions, and use "radiusd -X". Doing "-Xx" just makes the debug output harder to read.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 22, 2017, at 1:06 PM, John Tobin <jtobin@po-box.esu.edu> wrote:
My problem may be that apple devices are no longer accepting self signed certs,
There has to be something else going on. I'm using a self-signed certificate every day with OSX to get WiFi access. The certificate was created with the standard FreeRADIUS OpenSSL scripts. So that just works. How did you create the self-signed certificate? What openssl config file / command-line did you use? My *guess* here is that you're using older digest (or other) options which Windows accepts, and OSX doesn't... for security. Re-ussing the certificate with modern digest / options should make it work. Alan DeKok.
Hi, you're probably hitting either of 2 things 1) the certificate/CA doesnt have the required thigns for iOS/OSX but windows is still happy with it (thinking SAN or size or not SHA1 server cert, just SHA1 CA or such). 2) TLS1.2 issue - you have FR 3.0.x and OpenSSL 1.0.x - that rings alarm bells. disable the TLS1.2 negotiation until you have latest version of FR and OpenSSL 1.1.x on the system. alan
This is not easy research, since the error messages you receive no one else seems to see. My problem may be that apple devices are no longer accepting self signed certs, but I have also looked at os x upgrades [home brew/openssl problems] for openssl.
If the OS is rejecting the cert (or visa versa), you'll see something like: Error: TLS Alert fatal: blah blah blah The original poster was getting all the way through MS-CHAP inner authentication, so it was could not have been a certificate issue since the TLS tunnel had successfully established.
Ah, you mean like this: [ERROR: TLS is down a bit, I took the entire transaction out of the logŠ] (86) Received Access-Request Id 196 from 10.99.7.190:1645 <http://10.99.7.190:1645/> to 10.99.7.21:1812 <http://10.99.7.21:1812/> length 153 (86) User-Name = "tobi1" (86) Framed-MTU = 1400 (86) Called-Station-Id = "0022.90bd.9500" (86) Calling-Station-Id = "0025.4b8e.15b9" (86) Service-Type = Login-User (86) Message-Authenticator = 0x5f033b48ec2f2a210b5e0ce5379cdf49 (86) EAP-Message = 0x0205001119800000000715030100020100 (86) NAS-Port-Type = Wireless-802.11 (86) NAS-Port = 394 (86) NAS-Port-Id = "394" (86) State = 0xe046c6d9e243dfdaa11e15be1d36d7b4 (86) NAS-IP-Address = 10.99.7.190 (86) NAS-Identifier = "ap" (86) session-state: No cached attributes (86) # Executing section authorize from file /etc/raddb/sites-enabled/default (86) authorize { (86) policy filter_username { (86) if (&User-Name) { (86) if (&User-Name) -> TRUE (86) if (&User-Name) { (86) if (&User-Name =~ / /) { (86) if (&User-Name =~ / /) -> FALSE (86) if (&User-Name =~ /@[^@]*@/ ) { (86) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (86) if (&User-Name =~ /\.\./ ) { (86) if (&User-Name =~ /\.\./ ) -> FALSE (86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (86) if (&User-Name =~ /\.$/) { (86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (86) if (&User-Name =~ /\.$/) { (86) if (&User-Name =~ /\.$/) -> FALSE (86) if (&User-Name =~ /@\./) { (86) if (&User-Name =~ /@\./) -> FALSE (86) } # if (&User-Name) = notfound (86) } # policy filter_username = notfound (86) [preprocess] = ok (86) [chap] = noop (86) [mschap] = noop (86) [digest] = noop (86) suffix: Checking for suffix after "@" (86) suffix: No '@' in User-Name = "tobi1", looking up realm NULL (86) suffix: No such realm "NULL" (86) [suffix] = noop (86) eap: Peer sent EAP Response (code 2) ID 5 length 17 (86) eap: Continuing tunnel setup (86) [eap] = ok (86) } # authorize = ok (86) Found Auth-Type = eap (86) # Executing group from file /etc/raddb/sites-enabled/default (86) authenticate { (86) eap: Expiring EAP session with state 0xe046c6d9e243dfda (86) eap: Finished EAP session with state 0xe046c6d9e243dfda (86) eap: Previous EAP request found for state 0xe046c6d9e243dfda, released from the list (86) eap: Peer sent packet with method EAP PEAP (25) (86) eap: Calling submodule eap_peap to process data (86) eap_peap: Continuing EAP-TLS (86) eap_peap: Peer indicated complete TLS record size will be 7 bytes (86) eap_peap: Got complete TLS record (7 bytes) (86) eap_peap: [eaptls verify] = length included (86) eap_peap: <<< recv TLS 1.0 Alert [length 0002], warning close_notify (86) eap_peap: ERROR: TLS_accept: Failed in unknown state (86) eap_peap: ERROR: SSL says: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (86) eap_peap: ERROR: SSL_read failed in a system call (-1), TLS session failed (86) eap_peap: ERROR: TLS receive handshake failed during operation (86) eap_peap: ERROR: [eaptls process] = fail (86) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (86) eap: Sending EAP Failure (code 4) ID 5 length 4 (86) eap: Failed in EAP select (86) [eap] = invalid (86) } # authenticate = invalid (86) Failed to authenticate the user (86) Using Post-Auth-Type Reject (86) # Executing group from file /etc/raddb/sites-enabled/default (86) Post-Auth-Type REJECT { (86) attr_filter.access_reject: EXPAND %{User-Name} (86) attr_filter.access_reject: --> tobi1 (86) attr_filter.access_reject: Matched entry DEFAULT at line 11 (86) [attr_filter.access_reject] = updated (86) [eap] = noop (86) policy remove_reply_message_if_eap { (86) if (&reply:EAP-Message && &reply:Reply-Message) { (86) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (86) else { (86) [noop] = noop (86) } # else = noop (86) } # policy remove_reply_message_if_eap = noop (86) } # Post-Auth-Type REJECT = updated (86) } # policy remove_reply_message_if_eap = noop (86) } # Post-Auth-Type REJECT = updated (86) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (86) Sending delayed response (86) Sent Access-Reject Id 196 from 10.99.7.21:1812 <http://10.99.7.21:1812/> to 10.99.7.190:1645 <http://10.99.7.190:1645/> length 44 (86) EAP-Message = 0x04050004 (86) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Š.. Waking up in 0.1 seconds. (86) Cleaning up request packet ID 196 with timestamp +1294629 Ready to process requests Ready to process requests Signalled to terminate Exiting normally rlm_ldap (ldap): Removing connection pool rlm_ldap (ldap): Closing connection (12) rlm_ldap (ldap): Closing connection (11) rlm_ldap (ldap): Closing connection (10) tls: Freeing cached session VPs On 3/22/17, 13:20, "Freeradius-Users on behalf of Brian Julin" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of BJulin@clarku.edu> wrote:
This is not easy research, since the error messages you receive no one else seems to see. My problem may be that apple devices are no longer accepting self signed certs, but I have also looked at os x upgrades [home brew/openssl problems] for openssl.
If the OS is rejecting the cert (or visa versa), you'll see something like:
Error: TLS Alert fatal: blah blah blah
The original poster was getting all the way through MS-CHAP inner authentication, so it was could not have been a certificate issue since the TLS tunnel had successfully established.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The log snip below, shows test on os x Sierra, Windows 7 works, I have not had the time to test win 10. So free Radiusd works, this is just an apple os x problem, server cert is self signed, dot1xprofiler is my profile app, and has both the signed cert [server.pem] and client cert [client.p12] generated by the make in /etc/raddb/certs. On 3/22/17, 16:37, "John Tobin" <jtobin@po-box.esu.edu> wrote:
Ah, you mean like this: [ERROR: TLS is down a bit, I took the entire transaction out of the logŠ]
(86) Received Access-Request Id 196 from 10.99.7.190:1645 <http://10.99.7.190:1645/> to 10.99.7.21:1812 <http://10.99.7.21:1812/> length 153 (86) User-Name = "tobi1" (86) Framed-MTU = 1400 (86) Called-Station-Id = "0022.90bd.9500" (86) Calling-Station-Id = "0025.4b8e.15b9" (86) Service-Type = Login-User (86) Message-Authenticator = 0x5f033b48ec2f2a210b5e0ce5379cdf49 (86) EAP-Message = 0x0205001119800000000715030100020100 (86) NAS-Port-Type = Wireless-802.11 (86) NAS-Port = 394 (86) NAS-Port-Id = "394" (86) State = 0xe046c6d9e243dfdaa11e15be1d36d7b4 (86) NAS-IP-Address = 10.99.7.190 (86) NAS-Identifier = "ap" (86) session-state: No cached attributes (86) # Executing section authorize from file /etc/raddb/sites-enabled/default (86) authorize { (86) policy filter_username { (86) if (&User-Name) { (86) if (&User-Name) -> TRUE (86) if (&User-Name) { (86) if (&User-Name =~ / /) { (86) if (&User-Name =~ / /) -> FALSE (86) if (&User-Name =~ /@[^@]*@/ ) { (86) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (86) if (&User-Name =~ /\.\./ ) { (86) if (&User-Name =~ /\.\./ ) -> FALSE (86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (86) if (&User-Name =~ /\.$/) { (86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (86) if (&User-Name =~ /\.$/) { (86) if (&User-Name =~ /\.$/) -> FALSE (86) if (&User-Name =~ /@\./) { (86) if (&User-Name =~ /@\./) -> FALSE (86) } # if (&User-Name) = notfound (86) } # policy filter_username = notfound (86) [preprocess] = ok (86) [chap] = noop (86) [mschap] = noop (86) [digest] = noop (86) suffix: Checking for suffix after "@" (86) suffix: No '@' in User-Name = "tobi1", looking up realm NULL (86) suffix: No such realm "NULL" (86) [suffix] = noop (86) eap: Peer sent EAP Response (code 2) ID 5 length 17 (86) eap: Continuing tunnel setup (86) [eap] = ok (86) } # authorize = ok (86) Found Auth-Type = eap (86) # Executing group from file /etc/raddb/sites-enabled/default (86) authenticate { (86) eap: Expiring EAP session with state 0xe046c6d9e243dfda (86) eap: Finished EAP session with state 0xe046c6d9e243dfda (86) eap: Previous EAP request found for state 0xe046c6d9e243dfda, released from the list (86) eap: Peer sent packet with method EAP PEAP (25) (86) eap: Calling submodule eap_peap to process data (86) eap_peap: Continuing EAP-TLS (86) eap_peap: Peer indicated complete TLS record size will be 7 bytes (86) eap_peap: Got complete TLS record (7 bytes) (86) eap_peap: [eaptls verify] = length included (86) eap_peap: <<< recv TLS 1.0 Alert [length 0002], warning close_notify (86) eap_peap: ERROR: TLS_accept: Failed in unknown state (86) eap_peap: ERROR: SSL says: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (86) eap_peap: ERROR: SSL_read failed in a system call (-1), TLS session failed (86) eap_peap: ERROR: TLS receive handshake failed during operation (86) eap_peap: ERROR: [eaptls process] = fail (86) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (86) eap: Sending EAP Failure (code 4) ID 5 length 4 (86) eap: Failed in EAP select (86) [eap] = invalid (86) } # authenticate = invalid (86) Failed to authenticate the user (86) Using Post-Auth-Type Reject (86) # Executing group from file /etc/raddb/sites-enabled/default (86) Post-Auth-Type REJECT { (86) attr_filter.access_reject: EXPAND %{User-Name} (86) attr_filter.access_reject: --> tobi1 (86) attr_filter.access_reject: Matched entry DEFAULT at line 11 (86) [attr_filter.access_reject] = updated (86) [eap] = noop (86) policy remove_reply_message_if_eap { (86) if (&reply:EAP-Message && &reply:Reply-Message) { (86) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (86) else { (86) [noop] = noop (86) } # else = noop (86) } # policy remove_reply_message_if_eap = noop (86) } # Post-Auth-Type REJECT = updated (86) } # policy remove_reply_message_if_eap = noop (86) } # Post-Auth-Type REJECT = updated (86) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (86) Sending delayed response (86) Sent Access-Reject Id 196 from 10.99.7.21:1812 <http://10.99.7.21:1812/> to 10.99.7.190:1645 <http://10.99.7.190:1645/> length 44 (86) EAP-Message = 0x04050004 (86) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Š.. Waking up in 0.1 seconds. (86) Cleaning up request packet ID 196 with timestamp +1294629 Ready to process requests Ready to process requests Signalled to terminate Exiting normally rlm_ldap (ldap): Removing connection pool rlm_ldap (ldap): Closing connection (12) rlm_ldap (ldap): Closing connection (11) rlm_ldap (ldap): Closing connection (10) tls: Freeing cached session VPs
On 3/22/17, 13:20, "Freeradius-Users on behalf of Brian Julin" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of BJulin@clarku.edu> wrote:
This is not easy research, since the error messages you receive no one else seems to see. My problem may be that apple devices are no longer accepting self signed certs, but I have also looked at os x upgrades [home brew/openssl problems] for openssl.
If the OS is rejecting the cert (or visa versa), you'll see something like:
Error: TLS Alert fatal: blah blah blah
The original poster was getting all the way through MS-CHAP inner authentication, so it was could not have been a certificate issue since the TLS tunnel had successfully established.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
The log snip below, shows test on os x Sierra, Windows 7 works, I have not had the time to test win 10. So free Radiusd works, this is just an apple os x problem, server cert is self signed, dot1xprofiler is my profile app, and has both the signed cert [server.pem] and client cert [client.p12] generated by the make in /etc/raddb/certs.
well, client issue....TLS issue... I would suggest looking at my previous response and trying that config option out. alan
Where is the tls 1.2 negotiation documented, I am somewhat of a newbie, I did search google for tls disable free radiusd, etc. didn¹t see anything like a disable switch/ or option, but then I may not have been looking in the right place. The only note that makes sense is one that says you simply don¹t install the client cert. The problem I am facing maybe using the Dot1xprofiler. It doesn¹t have all the options I need to put in 1. Certificate[s], and a WPA password, and an userid/passwprd pair. I may have a work around for that -> I build the Dot1xprofile, then use the command line profile command to print out the plist of the profile [profiles -L -o [pathAndFileName] -> run man on the profiles command look at the examples] then edit the profile to include wpa2 EncrptionType, and fill in a password, then use the profiles command again to recreate [install] the profile with you updates. Well some thing like that. Give me a word on the tls situation. I do get it, if you don¹t include the client cert, then the TLS [with the server cert installed] checks to make sure you have the correct server, and the client authentication is by userid / Password. But that is kind of a miss of true TLS which would need both the server and the client cert supported. tob On 3/22/17, 18:16, "Freeradius-Users on behalf of A.L.M.Buxey@lboro.ac.uk" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
The log snip below, shows test on os x Sierra, Windows 7 works, I have not had the time to test win 10. So free Radiusd works, this is just an apple os x problem, server cert is self signed, dot1xprofiler is my profile app, and has both the signed cert [server.pem] and client cert [client.p12] generated by the make in /etc/raddb/certs.
well, client issue....TLS issue... I would suggest looking at my previous response and trying that config option out.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 23, 2017, at 2:34 PM, John Tobin <jtobin@po-box.esu.edu> wrote:
Where is the tls 1.2 negotiation documented, I am somewhat of a newbie, I did search google for tls disable free radiusd, etc. didn¹t see anything like a disable switch/ or option, but then I may not have been looking in the right place.
Google is generally worse than reading the server's documentation, or the config files. For EAP-TLS methods... edit the EAP module configuration. i.e. raddb/mods-available/eap. Look for "tls".
Give me a word on the tls situation. I do get it, if you don¹t include the client cert, then the TLS [with the server cert installed] checks to make sure you have the correct server, and the client authentication is by userid / Password. But that is kind of a miss of true TLS which would need both the server and the client cert supported.
You can use EAP-TLS, too. You don't need passwords. Alan DeKok.
Sorry, still lost: In the tls-config tls-common I see a flag set for : # Disable_tlsv1_2 = no [that is commented out]… And a # check_cert_issuer = And a # check_cert_cn = The tls config per se : Tls { Just points back to the tls-config tls-common I believe… If you want to take this discussion off line because it is somewhat security sensitive, I am jtobin@po-box.esu.edu. Sincerely, tob On 3/23/17, 15:38, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
On Mar 23, 2017, at 2:34 PM, John Tobin <jtobin@po-box.esu.edu> wrote:
Where is the tls 1.2 negotiation documented, I am somewhat of a newbie, I did search google for tls disable free radiusd, etc. didn¹t see anything like a disable switch/ or option, but then I may not have been looking in the right place.
Google is generally worse than reading the server's documentation, or the config files.
For EAP-TLS methods... edit the EAP module configuration. i.e. raddb/mods-available/eap. Look for "tls".
Give me a word on the tls situation. I do get it, if you don¹t include the client cert, then the TLS [with the server cert installed] checks to make sure you have the correct server, and the client authentication is by userid / Password. But that is kind of a miss of true TLS which would need both the server and the client cert supported.
You can use EAP-TLS, too. You don't need passwords.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 23, 2017, at 8:00 PM, John Tobin <jtobin@po-box.esu.edu> wrote:
Sorry, still lost:
If you want to disable tls 1.2, you follow the documentation and examples to disable it. What part of that is unclear?
If you want to take this discussion off line because it is somewhat security sensitive, I am jtobin@po-box.esu.edu.
Questions belong on the list. Alan DeKok.
What doc? What I find is in google [sorry, all I could find, no radiusd document came upŠ.] is below. No it doesn¹t work, problem hasn¹t changed, I am version radiusd 3.0.11, the vars I see are actually ca_file and ca_path | not CA_file and CA_path, but what do I know? I put back the original so I can run the windows clients. Is there some other place I am not looking? Sincerely, tob I lookup in google and I get: http://freeradius.1045715.n5.nabble.com/Disabling-EAP-TLS-while-keeping-EAP -PEAP-td2761895.html Which says: Jun 18, 2007; 6:09am Re: Disabling EAP-TLS while keeping EAP-PEAP <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=use r_nodes&user=108414> 36 posts In reply to this post <http://freeradius.1045715.n5.nabble.com/Disabling-EAP-TLS-while-keeping-EA P-PEAP-tp2761895.html> by Martin Gadbois Hi! By commenting the CA_file parameter in the eap->tls section: # CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem *and* by setting CA_path parameter in the eap->tls section to an *empty* directory CA_path = ${raddbdir}/certs/trustedCAs should do the trick. No trusted CAs mean no trusted client certificates :-) Martin Gadbois wrote:
When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required.
How can I disable EAP-TLS while using EAP-PEAP?
I agree that if the client does not have a client key, EAP-TLS will not work. But how to restrict EAP-TLS in any case?
-- Beste Gruesse / Kind Regards On 3/23/17, 20:41, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
On Mar 23, 2017, at 8:00 PM, John Tobin <jtobin@po-box.esu.edu> wrote:
Sorry, still lost:
If you want to disable tls 1.2, you follow the documentation and examples to disable it.
What part of that is unclear?
If you want to take this discussion off line because it is somewhat security sensitive, I am jtobin@po-box.esu.edu.
Questions belong on the list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
What doc?
its all documented in the EAP module config - unless someone has been usful and removed ALL of the inline documentation in your config. look at the TLS section where the certificates (and/or certificate path are defined). if you concatentate your CA , intermediates and server cert into the certificate file, then you can remove the CA file and/or path - and thus disable EAP-TLS (only allowing PEAP, TTLS et al to continue working) alan
Hi, I was seeing something /very/ similar to the below TLS error recently and that was because the expected *server name* I configured in the client didn't match what my server was actually sending. Despite the usual suspects like typos in client config, you may also want to check for wildcard names in certs, or things that are not hostnames (spaces...) - clients sometimes choke on harmlessly looking things. Greetings, Stefan Winter Am 22.03.2017 um 21:54 schrieb John Tobin:
The log snip below, shows test on os x Sierra, Windows 7 works, I have not had the time to test win 10. So free Radiusd works, this is just an apple os x problem, server cert is self signed, dot1xprofiler is my profile app, and has both the signed cert [server.pem] and client cert [client.p12] generated by the make in /etc/raddb/certs.
On 3/22/17, 16:37, "John Tobin" <jtobin@po-box.esu.edu> wrote:
Ah, you mean like this: [ERROR: TLS is down a bit, I took the entire transaction out of the logŠ]
(86) Received Access-Request Id 196 from 10.99.7.190:1645 <http://10.99.7.190:1645/> to 10.99.7.21:1812 <http://10.99.7.21:1812/> length 153 (86) User-Name = "tobi1" (86) Framed-MTU = 1400 (86) Called-Station-Id = "0022.90bd.9500" (86) Calling-Station-Id = "0025.4b8e.15b9" (86) Service-Type = Login-User (86) Message-Authenticator = 0x5f033b48ec2f2a210b5e0ce5379cdf49 (86) EAP-Message = 0x0205001119800000000715030100020100 (86) NAS-Port-Type = Wireless-802.11 (86) NAS-Port = 394 (86) NAS-Port-Id = "394" (86) State = 0xe046c6d9e243dfdaa11e15be1d36d7b4 (86) NAS-IP-Address = 10.99.7.190 (86) NAS-Identifier = "ap" (86) session-state: No cached attributes (86) # Executing section authorize from file /etc/raddb/sites-enabled/default (86) authorize { (86) policy filter_username { (86) if (&User-Name) { (86) if (&User-Name) -> TRUE (86) if (&User-Name) { (86) if (&User-Name =~ / /) { (86) if (&User-Name =~ / /) -> FALSE (86) if (&User-Name =~ /@[^@]*@/ ) { (86) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (86) if (&User-Name =~ /\.\./ ) { (86) if (&User-Name =~ /\.\./ ) -> FALSE (86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (86) if (&User-Name =~ /\.$/) { (86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (86) if (&User-Name =~ /\.$/) { (86) if (&User-Name =~ /\.$/) -> FALSE (86) if (&User-Name =~ /@\./) { (86) if (&User-Name =~ /@\./) -> FALSE (86) } # if (&User-Name) = notfound (86) } # policy filter_username = notfound (86) [preprocess] = ok (86) [chap] = noop (86) [mschap] = noop (86) [digest] = noop (86) suffix: Checking for suffix after "@" (86) suffix: No '@' in User-Name = "tobi1", looking up realm NULL (86) suffix: No such realm "NULL" (86) [suffix] = noop (86) eap: Peer sent EAP Response (code 2) ID 5 length 17 (86) eap: Continuing tunnel setup (86) [eap] = ok (86) } # authorize = ok (86) Found Auth-Type = eap (86) # Executing group from file /etc/raddb/sites-enabled/default (86) authenticate { (86) eap: Expiring EAP session with state 0xe046c6d9e243dfda (86) eap: Finished EAP session with state 0xe046c6d9e243dfda (86) eap: Previous EAP request found for state 0xe046c6d9e243dfda, released from the list (86) eap: Peer sent packet with method EAP PEAP (25) (86) eap: Calling submodule eap_peap to process data (86) eap_peap: Continuing EAP-TLS (86) eap_peap: Peer indicated complete TLS record size will be 7 bytes (86) eap_peap: Got complete TLS record (7 bytes) (86) eap_peap: [eaptls verify] = length included (86) eap_peap: <<< recv TLS 1.0 Alert [length 0002], warning close_notify (86) eap_peap: ERROR: TLS_accept: Failed in unknown state (86) eap_peap: ERROR: SSL says: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (86) eap_peap: ERROR: SSL_read failed in a system call (-1), TLS session failed (86) eap_peap: ERROR: TLS receive handshake failed during operation (86) eap_peap: ERROR: [eaptls process] = fail (86) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (86) eap: Sending EAP Failure (code 4) ID 5 length 4 (86) eap: Failed in EAP select (86) [eap] = invalid (86) } # authenticate = invalid (86) Failed to authenticate the user (86) Using Post-Auth-Type Reject (86) # Executing group from file /etc/raddb/sites-enabled/default (86) Post-Auth-Type REJECT { (86) attr_filter.access_reject: EXPAND %{User-Name} (86) attr_filter.access_reject: --> tobi1 (86) attr_filter.access_reject: Matched entry DEFAULT at line 11 (86) [attr_filter.access_reject] = updated (86) [eap] = noop (86) policy remove_reply_message_if_eap { (86) if (&reply:EAP-Message && &reply:Reply-Message) { (86) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (86) else { (86) [noop] = noop (86) } # else = noop (86) } # policy remove_reply_message_if_eap = noop (86) } # Post-Auth-Type REJECT = updated (86) } # policy remove_reply_message_if_eap = noop (86) } # Post-Auth-Type REJECT = updated (86) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (86) Sending delayed response (86) Sent Access-Reject Id 196 from 10.99.7.21:1812 <http://10.99.7.21:1812/> to 10.99.7.190:1645 <http://10.99.7.190:1645/> length 44 (86) EAP-Message = 0x04050004 (86) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Š.. Waking up in 0.1 seconds. (86) Cleaning up request packet ID 196 with timestamp +1294629 Ready to process requests Ready to process requests Signalled to terminate Exiting normally rlm_ldap (ldap): Removing connection pool rlm_ldap (ldap): Closing connection (12) rlm_ldap (ldap): Closing connection (11) rlm_ldap (ldap): Closing connection (10) tls: Freeing cached session VPs
On 3/22/17, 13:20, "Freeradius-Users on behalf of Brian Julin" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of BJulin@clarku.edu> wrote:
This is not easy research, since the error messages you receive no one else seems to see. My problem may be that apple devices are no longer accepting self signed certs, but I have also looked at os x upgrades [home brew/openssl problems] for openssl.
If the OS is rejecting the cert (or visa versa), you'll see something like:
Error: TLS Alert fatal: blah blah blah
The original poster was getting all the way through MS-CHAP inner authentication, so it was could not have been a certificate issue since the TLS tunnel had successfully established.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Brian Julin -
Igor Sousa -
John Tobin -
Stefan Winter