Apple devices can´t authenticate
Dear, I have installed the Easyhotspot captive portal product which uses the freeradius 2.1.0 service in order to authenticate users. I can authenticate with Windows, Linux and Android devices, but I can't authenticate with Apple devices (iphone and ipad) at all. Is it an intrinsic problem of Freeradius ??? Thanks a lot. Roberto
Roberto Carna wrote:
I can authenticate with Windows, Linux and Android devices, but I can't authenticate with Apple devices (iphone and ipad) at all.
Is it an intrinsic problem of Freeradius ???
No, Apple devices auth off FreeRADIUS just fine. More likely it is a problem with certs/CAs, or client configurations.
Dear, the debug is this: [chap] Login attempt by "pepe" with CHAP password [chap] Using clear text password "1234" for user pepe authentication [chap] Password check failed ++[chap] Returns reject Failed to authenticate the user THe password is 1234 and I try many times... Any idea ??? Because from other Windos and Android devices the authentication works OK. Thanks again 2013/8/14 Brian Julin <BJulin@clarku.edu>:
Roberto Carna wrote:
I can authenticate with Windows, Linux and Android devices, but I can't authenticate with Apple devices (iphone and ipad) at all.
Is it an intrinsic problem of Freeradius ???
No, Apple devices auth off FreeRADIUS just fine.
More likely it is a problem with certs/CAs, or client configurations.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Since all your auth attempts are coming from easyhotspot, compare the difference in FreeRADIUS logs between a successful authentication and an unsuccessful one, for the same user and password. Compare both the username and password, and all other attributes in the request, very carefully. Odds are that easyhotspot is sending something different when an iOS client tries to connect. This would not be a surprise, since iOS has been known to try to play cute games by hijacking web portals.
-----Original Message----- From: freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org] On Behalf Of Roberto Carna Sent: Wednesday, August 14, 2013 10:01 AM To: FreeRadius users mailing list Subject: Re: Apple devices can´t authenticate
Dear, the debug is this:
[chap] Login attempt by "pepe" with CHAP password [chap] Using clear text password "1234" for user pepe authentication [chap] Password check failed ++[chap] Returns reject Failed to authenticate the user
THe password is 1234 and I try many times...
Any idea ??? Because from other Windos and Android devices the authentication works OK.
Thanks again
2013/8/14 Brian Julin <BJulin@clarku.edu>:
Roberto Carna wrote:
I can authenticate with Windows, Linux and Android devices, but I can't authenticate with Apple devices (iphone and ipad) at all.
Is it an intrinsic problem of Freeradius ???
No, Apple devices auth off FreeRADIUS just fine.
More likely it is a problem with certs/CAs, or client configurations.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Roberto Carna wrote:
Dear, the debug is this:
[chap] Login attempt by "pepe" with CHAP password [chap] Using clear text password "1234" for user pepe authentication [chap] Password check failed ++[chap] Returns reject Failed to authenticate the user
THe password is 1234 and I try many times...
Are you sure that's from an Apple device? They don't do CHAP for WiFi authentication.
Any idea ??? Because from other Windos and Android devices the authentication works OK.
Post the FULL debug log. Honestly. That's why we ask for it. Alan DeKok.
I tried with Android device and it use CHAP authentication as Apple devices. OK, here is the complete log....thanks a lot!!! rad_recv: Accounting-Request packet from host 127.0.0.1 port 3799, id=74, length=172 Acct-Status-Type = Interim-Update User-Name = "pagos" Calling-Station-Id = "00-0C-E7-12-71-BF" Called-Station-Id = "00-15-5D-01-32-04" NAS-Port-Type = Wireless-802.11 NAS-Port = 6 NAS-Port-Id = "00000006" NAS-IP-Address = 0.0.0.0 NAS-Identifier = "nas01" Framed-IP-Address = 192.168.1.16 Acct-Session-Id = "520b975800000006" Acct-Input-Octets = 33494 Acct-Output-Octets = 42669 Acct-Input-Gigawords = 0 Acct-Output-Gigawords = 0 Acct-Input-Packets = 181 Acct-Output-Packets = 165 Acct-Session-Time = 491 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 6,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 0.0.0.0,Acct-Session-Id = "520b975800000006",User-Name = "pagos"' [acct_unique] Acct-Unique-Session-ID = "a14e1d0a24db831a". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "pagos", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20130814 [detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20130814 expand: %t -> Wed Aug 14 11:51:11 2013 ++[detail] returns ok ++[unix] returns noop expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp expand: %{User-Name} -> pagos ++[radutmp] returns ok expand: /var/log/freeradius/sradutmp -> /var/log/freeradius/sradutmp expand: %{User-Name} -> pagos ++[sradutmp] returns ok expand: %{User-Name} -> pagos [sql] sql_set_user escaped user --> 'pagos' expand: %{Acct-Input-Gigawords} -> 0 expand: %{Acct-Input-Octets} -> 33494 expand: %{Acct-Output-Gigawords} -> 0 expand: %{Acct-Output-Octets} -> 42669 expand: UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET framedipaddress = '192.168.1.16', acctsessiontime = '491', acctinputoctets = '0' << 32 | '33494', acctoutputoctets = '0' << 32 | '42669' WHERE acctsessionid = '520b975800000006' AND username = 'pagos' AND nasipaddress = '0.0.0.0' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok expand: %{User-Name} -> pagos attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 74 to 127.0.0.1 port 3799 Finished request 0. Cleaning up request 0 ID 74 with timestamp +47 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 47716, id=0, length=213 User-Name = "pagos" CHAP-Challenge = 0x102ce36fe571e8dd135b7aacbbfaedba CHAP-Password = 0x0027261c4744170b60d7ceb2e02b12a62b NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.1.17 Calling-Station-Id = "F0-CB-A1-A5-56-71" Called-Station-Id = "00-15-5D-01-32-04" NAS-Identifier = "nas01" Acct-Session-Id = "520b996100000002" NAS-Port-Type = Wireless-802.11 NAS-Port = 2 Message-Authenticator = 0x1fceb0d21eb5534aa4d358b82c239c28 WISPr-Logoff-URL = "http://192.168.1.1:3990/logoff" +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "pagos", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> pagos [sql] sql_set_user escaped user --> 'pagos' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pagos' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pagos' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pagos' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[max_all_mb] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop [expiration] Checking Expiration time: 'October 26 2021 24:00:00' ++[expiration] returns ok ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "pagos" with CHAP password [chap] Using clear text password "pagos" for user pagos authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> pagos attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 0 to 127.0.0.1 port 47716 Waking up in 4.9 seconds. Cleaning up request 1 ID 0 with timestamp +66 Ready to process requests. THANKS A LOT 2013/8/14 Alan DeKok <aland@deployingradius.com>:
Roberto Carna wrote:
Dear, the debug is this:
[chap] Login attempt by "pepe" with CHAP password [chap] Using clear text password "1234" for user pepe authentication [chap] Password check failed ++[chap] Returns reject Failed to authenticate the user
THe password is 1234 and I try many times...
Are you sure that's from an Apple device? They don't do CHAP for WiFi authentication.
Any idea ??? Because from other Windos and Android devices the authentication works OK.
Post the FULL debug log. Honestly. That's why we ask for it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 14/08/13 15:55, Roberto Carna wrote:
I tried with Android device and it use CHAP authentication as Apple devices.
Ok, there is some confusion here. You are using a captive portal, so it's actually your captive portal web-based login that is doing CHAP - the Apple/Android devices are just doing HTTP forms-based login. If Apple devices aren't working, it's a problem with the captive portal. Captive portals are just web pages from the client point of view.
participants (4)
-
Alan DeKok -
Brian Julin -
Phil Mayers -
Roberto Carna