Mac osx authentication problems
Hi, we are implementing two wifi SSIDs with two different radius authentications - first is our internal net with local freeradius 3.0 and NTLM and this works without a problem. The other is eduroam with external radius and while testing we found out that Mac OsX users can't connect to it. They get a u/p and the cert popup but after that it seems to just hang and eventually timeout. I've contacted the external radius guys and they said they are still on freeradius 2.1. Could this be the cause of the problems? I know the general rule is to upgrade to 3 but as said it's not our radius. If someone had similar experience or knows it's a version issue I will have better arguments to convince them to upgrade (I hope). Thanks, Cheers, Jure
On Jan 12, 2022, at 11:41 AM, Jure Simšič via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
we are implementing two wifi SSIDs with two different radius authentications - first is our internal net with local freeradius 3.0 and NTLM and this works without a problem. The other is eduroam with external radius and while testing we found out that Mac OsX users can't connect to it. They get a u/p and the cert popup but after that it seems to just hang and eventually timeout. I've contacted the external radius guys and they said they are still on freeradius 2.1. Could this be the cause of the problems?
Probably not. If the Mac systems get a certificate popup, then they aren't configured to accept the cert / CA presented by the other server. The solution is to configure the Mac systems to know about those certs.
I know the general rule is to upgrade to 3 but as said it's not our radius. If someone had similar experience or knows it's a version issue I will have better arguments to convince them to upgrade (I hope).
They should upgrade, for a bunch of reasons. v2 is no longer supported. v3 has a lot better TLS debugging output, among many other changes. Alan DeKok.
Hi, so you are providing off-campus eduroam service for some, perhaps Ljubljana-based, University or research institution? (Which is a good thing to do, if you have many of their users on your own campus and want to give them easy, secure access.) On 12.01.22 19:18, Alan DeKok wrote:
If the Mac systems get a certificate popup, then they aren't configured to accept the cert / CA presented by the other server. The solution is to configure the Mac systems to know about those certs.
This is the way to go, of course. Take a look at https://cat.eduroam.org There are ~30 Institutions listed for Ljubljana -- pretty impressive TBH. Your partner might be among them. If so, configuration should be easy: Fire up Safari on the client and import their .mobileconfig. This _should_ configure the client correctly. Just make sure _all_ manual and/or profile configs for eduroam are purged from the client before -- and a reboot after deletion is a good idea. Do other clients (Linux, Windows, iOS, Android) fare any better? You might want to access the remote FR 2.1 with eapol_test to see what it actually delivers, cf. http://deployingradius.com/scripts/eapol_test/ Good Luck Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (3)
-
Alan DeKok -
Jure Simšič -
Martin Pauly