Authentication issues from Apple devices
Hello. I have configured a Wireless Hotspot using the EasyHotSpot system, that uses FreeRadius for authentication. I am having problems only when Apple devices (iphone, ipad, macbooks) attempt to connect to the hotspot. This is confusing, as all other devices and software (Winxp, Vista, 7, Symbian, Blackberry, Android etc) authenticate perfectly. As a test case, and while running debugging, I attempted to connect with my Blackberry and an Iphone using the same username and password. I have attached the results. As you will see, using the same username and password, the blackberry authenticates while the iphone fails. I cannot see any reason for this in the log. Can anyone please assist? Failed log: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60277, id=0, length=216 User-Name = "sandra" CHAP-Challenge = 0x0571777ec7661c411af641e8952291b9 CHAP-Password = 0x00120c16a8ff125a7a348459a0f40a86a9 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.10 Calling-Station-Id = "DC-2B-61-9C-92-E6" Called-Station-Id = "00-0D-56-9C-AC-F6" NAS-Identifier = "nas01" Acct-Session-Id = "4dcde5a500000000" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x35f8e8bc299636c4cd468b533de65f78 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "sandra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> sandra [sql] sql_set_user escaped user --> 'sandra' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sandra' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sandra' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'sandra' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[max_all_mb] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop [expiration] Checking Expiration time: 'September 11 2011 24:00:00' ++[expiration] returns ok ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "sandra" with CHAP password [chap] Using clear text password "sandra" for user sandra authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> sandra attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 127.0.0.1 port 60277 Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +36 Ready to process requests. Sucessful Log: rad_recv: Access-Request packet from host 127.0.0.1 port 44107, id=0, length=216 User-Name = "sandra" CHAP-Challenge = 0x97824e8524637118ae2cf716a0362b97 CHAP-Password = 0x00f729a50979c25ef7d9d9e5e4cc1b2907 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.8 Calling-Station-Id = "CC-55-AD-93-77-E6" Called-Station-Id = "00-0D-56-9C-AC-F6" NAS-Identifier = "nas01" Acct-Session-Id = "4dcde8c300000001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Message-Authenticator = 0xf30387317dabf479ce7642e776e0295e WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "sandra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> sandra [sql] sql_set_user escaped user --> 'sandra' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sandra' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sandra' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'sandra' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[max_all_mb] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop [expiration] Checking Expiration time: 'September 11 2011 24:00:00' ++[expiration] returns ok ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "sandra" with CHAP password [chap] Using clear text password "sandra" for user sandra authentication. [chap] chap user sandra authenticated succesfully ++[chap] returns ok +- entering group session {...} expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp expand: %{User-Name} -> sandra ++[radutmp] returns ok +- entering group post-auth {...} expand: %{User-Name} -> sandra [sql] sql_set_user escaped user --> 'sandra' expand: %{User-Password} -> expand: %{Chap-Password} -> 0x00f729a50979c25ef7d9d9e5e4cc1b2907 expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'sandra', '0x00f729a50979c25ef7d9d9e5e4cc1b2907', 'Access-Accept', '2011-05-14 12:28:43') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'sandra', '0x00f729a50979c25ef7d9d9e5e4cc1b2907', 'Access-Accept', '2011-05-14 12:28:43') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 0 to 127.0.0.1 port 44107 WISPr-Bandwidth-Max-Down := 256000 Idle-Timeout := 600 WISPr-Session-Terminate-Time := "2011-9-11T24:00:00" Acct-Interim-Interval := 120 Session-Timeout = 10409477 Finished request 1. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentication-issues-from-Apple-dev... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, I have a Linux(Ubuntu) NMS server and I want it to be authenticated Via Freeradius. So If I log into that NMS server it should send requests for authentication to FreeRadius serve. Also, can a windows XP machine be authenticated through Freeradius? I mean not the telnet/SSH login but somethign like RDP or VNC as well. BR, Raheel
Date: Fri, 13 May 2011 20:42:03 -0700 From: richard.adams@stentofon.com.au To: freeradius-users@lists.freeradius.org Subject: Authentication issues from Apple devices
Hello. I have configured a Wireless Hotspot using the EasyHotSpot system, that uses FreeRadius for authentication.
I am having problems only when Apple devices (iphone, ipad, macbooks) attempt to connect to the hotspot.
This is confusing, as all other devices and software (Winxp, Vista, 7, Symbian, Blackberry, Android etc) authenticate perfectly.
As a test case, and while running debugging, I attempted to connect with my Blackberry and an Iphone using the same username and password. I have attached the results. As you will see, using the same username and password, the blackberry authenticates while the iphone fails. I cannot see any reason for this in the log. Can anyone please assist?
Failed log:
Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60277, id=0, length=216 User-Name = "sandra" CHAP-Challenge = 0x0571777ec7661c411af641e8952291b9 CHAP-Password = 0x00120c16a8ff125a7a348459a0f40a86a9 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.10 Calling-Station-Id = "DC-2B-61-9C-92-E6" Called-Station-Id = "00-0D-56-9C-AC-F6" NAS-Identifier = "nas01" Acct-Session-Id = "4dcde5a500000000" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x35f8e8bc299636c4cd468b533de65f78 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "sandra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> sandra [sql] sql_set_user escaped user --> 'sandra' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sandra' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sandra' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'sandra' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[max_all_mb] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop [expiration] Checking Expiration time: 'September 11 2011 24:00:00' ++[expiration] returns ok ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "sandra" with CHAP password [chap] Using clear text password "sandra" for user sandra authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> sandra attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 127.0.0.1 port 60277 Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +36 Ready to process requests.
Sucessful Log:
rad_recv: Access-Request packet from host 127.0.0.1 port 44107, id=0, length=216 User-Name = "sandra" CHAP-Challenge = 0x97824e8524637118ae2cf716a0362b97 CHAP-Password = 0x00f729a50979c25ef7d9d9e5e4cc1b2907 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.8 Calling-Station-Id = "CC-55-AD-93-77-E6" Called-Station-Id = "00-0D-56-9C-AC-F6" NAS-Identifier = "nas01" Acct-Session-Id = "4dcde8c300000001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Message-Authenticator = 0xf30387317dabf479ce7642e776e0295e WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "sandra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> sandra [sql] sql_set_user escaped user --> 'sandra' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sandra' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sandra' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'sandra' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[max_all_mb] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop [expiration] Checking Expiration time: 'September 11 2011 24:00:00' ++[expiration] returns ok ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "sandra" with CHAP password [chap] Using clear text password "sandra" for user sandra authentication. [chap] chap user sandra authenticated succesfully ++[chap] returns ok +- entering group session {...} expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp expand: %{User-Name} -> sandra ++[radutmp] returns ok +- entering group post-auth {...} expand: %{User-Name} -> sandra [sql] sql_set_user escaped user --> 'sandra' expand: %{User-Password} -> expand: %{Chap-Password} -> 0x00f729a50979c25ef7d9d9e5e4cc1b2907 expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'sandra', '0x00f729a50979c25ef7d9d9e5e4cc1b2907', 'Access-Accept', '2011-05-14 12:28:43') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'sandra', '0x00f729a50979c25ef7d9d9e5e4cc1b2907', 'Access-Accept', '2011-05-14 12:28:43') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 0 to 127.0.0.1 port 44107 WISPr-Bandwidth-Max-Down := 256000 Idle-Timeout := 600 WISPr-Session-Terminate-Time := "2011-9-11T24:00:00" Acct-Interim-Interval := 120 Session-Timeout = 10409477 Finished request 1.
-- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentication-issues-from-Apple-dev... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Raheel, It might be better if you create a new topic rather then hijacking mine :) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentication-issues-from-Apple-dev... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 05/14/2011 07:37 AM, Raheel Itrat wrote:
Hi,
I have a Linux(Ubuntu) NMS server and I want it to be authenticated Via
Please don't hijack a thread.
Freeradius. So If I log into that NMS server it should send requests for
You will need to read the documentation for the NMS server.
authentication to FreeRadius serve. Also, can a windows XP machine be authenticated through Freeradius? I mean not the telnet/SSH login but somethign like RDP or VNC as well.
No. I'm pretty sure that RDP can only use local or domain auth, not radius. I don't know about VNC but I suspect the same.
Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "sandra" with CHAP password [chap] Using clear text password "sandra" for user sandra authentication. [chap] Password check failed ++[chap] returns reject
Nothing very dramatic here - the chap-challange is wrong, almost certainly meaning the user entered the wrong password. Now, since "the user" in this case is you testing, I guess it might be something else, but I'm not sure what. First thing - check and re-check that you're entering the password correctly, and something tedious like autocorrect isn't munging it! How do clients log into the hotspot - is it via web intercept/redirect and an HTML form? Can you switch to HTTP (rather than HTTPS) and run a packet capture to see if the password coming from the client is good?
The users connect through a chillispot captive portal, via HTTP. HTTPS causes too many problems with certificates, and the access point is unencripted anyway, so security is not the issue. I initally thought that the hotspot clients were simply making mistakes, but i've been testing it all day with the iphone v blackberry and Windows 7 and i'm fairly certain the password is going in ok. I set the username and password to be sandra : sandra for simplicity, as the autocorrect should leave it alone. I also set up an account as 1234 : 1234 and this also failed only on the iphone. For it to only affect Apple products, i had hoped that the debug message was going to show some rubbish in the username to prove that there was some issue with the input, but i can't see the issue when the debug message is confirming that the correct username and password were supplied. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentication-issues-from-Apple-dev... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 05/14/2011 10:08 AM, stentofon wrote:
The users connect through a chillispot captive portal, via HTTP. HTTPS causes too many problems with certificates, and the access point is unencripted anyway, so security is not the issue.
I initally thought that the hotspot clients were simply making mistakes, but i've been testing it all day with the iphone v blackberry and Windows 7 and i'm fairly certain the password is going in ok. I set the username and password to be sandra : sandra for simplicity, as the autocorrect should leave it alone. I also set up an account as 1234 : 1234 and this also failed only on the iphone.
For it to only affect Apple products, i had hoped that the debug message was going to show some rubbish in the username to prove that there was some
No; the packet is well-formed. The problem is that, in your failing case, the CHAP-Password is not valid for the given CHAP-Challenge and your plaintext password "sandra". That is, the client (Chilli) is sending invalid auth to FreeRADIUS.
issue with the input, but i can't see the issue when the debug message is confirming that the correct username and password were supplied.
That's not what the debug message says. I assume you're referring to this line: [chap] login attempt by "sandra" with CHAP password [chap] Using clear text password "sandra" for user sandra authentication. ...which means "I'm trying a login for 'sandra'. My (server-side) value for their clear text password is 'sandra'". It doesn't refer to anything the client sent (well, the username I guess). CHAP is a challenge-response method. The NAS (Chilli) never sends the password to FreeRADIUS. Instead, it sends: CHAP-Challenge = 16 random bytes CHAP-Password = 1 byte ID + md5(ID + password + challenge) The radius server then extracts the plaintext password from the SQL database, and the ID & challenge from the packet, computes it's own copy of CHAP-Password, and compares it to the packet. In your failing case, they don't match, so authentication is denied (I've confirmed this by doing the MD5 manually in python - it's definitely invalid. I tried a few trivial variations of the password too, so see if I could figure out what the client was using - no dice) I think the problem must be at the Chillispot end - it's breaking the CHAP somehow for iOS clients. Since you're not using HTTPS, you could try getting a packet capture of a working and failing login HTTP session, and compare the two in detail - I'd be looking for the POSTed form data, and any HTTP headers that might affect the interpretation e.g. character encodings. But this isn't really a FreeRADIUS problem I'm afraid.
participants (3)
-
Phil Mayers -
Raheel Itrat -
stentofon