connectivity issues with different devices
Hello, I emailed in about a week ago trying to get eap+ttls configured to work with my MacBooks and mobile devices. I have finally gotten that working. However now i'm running into another issues. We had to do a code upgrade on my wireless to support TLS 1.2 which is now done. Right now i'm facing an issue JUST on Mac OS X High Sierra where it is not able to authenticate. In order to get the mobile devices working on my test SSID I had to disable EAP+TLS termination from the Access Points to the FreeRADIUS server. I have EAP+TTLS setup to use PAP beacuse I'm authenticating to LDAP/FreeIPA. This is working for Mac OS X 10.11.x, 10.12.x, Android 6 & 7, but not for High Sierra 10.13.x. I am still working on procuring a Apple Mobile device that is on the latest code. So i'm trying to figure out if I need to change the config slightly but not 100% sure. But here is my debug output right now: Thu Dec 7 21:00:28 2017 : Debug: (35) Message-Authenticator = 0x9cc50130f378dd9808a639a0c01c246d Thu Dec 7 21:00:28 2017 : Debug: (35) session-state: No cached attributes Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing section authorize from file /etc/raddb/sites-enabled/default Thu Dec 7 21:00:28 2017 : Debug: (35) authorize { Thu Dec 7 21:00:28 2017 : Debug: (35) policy filter_username { Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) { Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) -> TRUE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) { Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ / /) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ / /) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@[^@]*@/ ) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.\./ ) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.\./ ) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.$/) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.$/) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@\./) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@\./) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) } # if (&User-Name) = notfound Thu Dec 7 21:00:28 2017 : Debug: (35) } # policy filter_username = notfound Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling preprocess (rlm_preprocess) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from preprocess (rlm_preprocess) Thu Dec 7 21:00:28 2017 : Debug: (35) [preprocess] = ok Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling chap (rlm_chap) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from chap (rlm_chap) Thu Dec 7 21:00:28 2017 : Debug: (35) [chap] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling mschap (rlm_mschap) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from mschap (rlm_mschap) Thu Dec 7 21:00:28 2017 : Debug: (35) [mschap] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling digest (rlm_digest) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from digest (rlm_digest) Thu Dec 7 21:00:28 2017 : Debug: (35) [digest] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling suffix (rlm_realm) Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: Checking for suffix after "@" Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: No '@' in User-Name = "andrew.meyer", looking up realm NULL Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: No such realm "NULL" Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from suffix (rlm_realm) Thu Dec 7 21:00:28 2017 : Debug: (35) [suffix] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Peer sent EAP Response (code 2) ID 8 length 119 Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Continuing tunnel setup Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = ok Thu Dec 7 21:00:28 2017 : Debug: (35) } # authorize = ok Thu Dec 7 21:00:28 2017 : Debug: (35) Found Auth-Type = eap Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing group from file /etc/raddb/sites-enabled/default Thu Dec 7 21:00:28 2017 : Debug: (35) authenticate { Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: calling eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Expiring EAP session with state 0x7ee913c27feb09b0 Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Finished EAP session with state 0x4bff8a3e4df79f46 Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Previous EAP request found for state 0x4bff8a3e4df79f46, released from the list Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Peer sent packet with method EAP TTLS (21) Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Calling submodule eap_ttls to process data Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Authenticate Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Continuing EAP-TLS Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Peer sent flags --L Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Peer indicated complete TLS record size will be 109 bytes Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Got complete TLS record (109 bytes) Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: [eaptls verify] = length included Thu Dec 7 21:00:28 2017 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: [eaptls process] = ok Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Session established. Proceeding to decode tunneled attributes Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Got tunneled request Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: EAP-Message = 0x020200471a02020042310c2b32464a4d784b18430da9031e0a2c0000000000000000b79f070b5edc9d77e6b3a8afe5e8e14058595469c43a365700616e647265772e6d65796572 Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 Thu Dec 7 21:00:28 2017 : Debug: (35) Virtual server inner-tunnel received request Thu Dec 7 21:00:28 2017 : Debug: (35) EAP-Message = 0x020200471a02020042310c2b32464a4d784b18430da9031e0a2c0000000000000000b79f070b5edc9d77e6b3a8afe5e8e14058595469c43a365700616e647265772e6d65796572 Thu Dec 7 21:00:28 2017 : Debug: (35) FreeRADIUS-Proxied-To = 127.0.0.1 Thu Dec 7 21:00:28 2017 : Debug: (35) User-Name = "andrew.meyer" Thu Dec 7 21:00:28 2017 : Debug: (35) State = 0x7ee913c27feb09b057d7e8dcddbcec86 Thu Dec 7 21:00:28 2017 : WARNING: (35) Outer and inner identities are the same. User privacy is compromised. Thu Dec 7 21:00:28 2017 : Debug: (35) server inner-tunnel { Thu Dec 7 21:00:28 2017 : Debug: (35) session-state: No cached attributes Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel Thu Dec 7 21:00:28 2017 : Debug: (35) authorize { Thu Dec 7 21:00:28 2017 : Debug: (35) policy filter_username { Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) { Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) -> TRUE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name) { Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ / /) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ / /) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@[^@]*@/ ) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.\./ ) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.\./ ) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.$/) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /\.$/) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@\./) { Thu Dec 7 21:00:28 2017 : Debug: No matches Thu Dec 7 21:00:28 2017 : Debug: (35) if (&User-Name =~ /@\./) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) } # if (&User-Name) = notfound Thu Dec 7 21:00:28 2017 : Debug: (35) } # policy filter_username = notfound Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling chap (rlm_chap) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from chap (rlm_chap) Thu Dec 7 21:00:28 2017 : Debug: (35) [chap] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling mschap (rlm_mschap) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from mschap (rlm_mschap) Thu Dec 7 21:00:28 2017 : Debug: (35) [mschap] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling suffix (rlm_realm) Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: Checking for suffix after "@" Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: No '@' in User-Name = "andrew.meyer", looking up realm NULL Thu Dec 7 21:00:28 2017 : Debug: (35) suffix: No such realm "NULL" Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from suffix (rlm_realm) Thu Dec 7 21:00:28 2017 : Debug: (35) [suffix] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) update control { Thu Dec 7 21:00:28 2017 : Debug: (35) &Proxy-To-Realm := LOCAL Thu Dec 7 21:00:28 2017 : Debug: (35) } # update control = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Peer sent EAP Response (code 2) ID 2 length 71 Thu Dec 7 21:00:28 2017 : Debug: (35) eap: No EAP Start, assuming it's an on-going EAP conversation Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = updated Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling files (rlm_files) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from files (rlm_files) Thu Dec 7 21:00:28 2017 : Debug: (35) [files] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling ldap (rlm_ldap) Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL Thu Dec 7 21:00:28 2017 : Debug: rlm_ldap (ldap): Reserved connection (10) Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL XLAT Thu Dec 7 21:00:28 2017 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Thu Dec 7 21:00:28 2017 : Debug: Parsed xlat tree: Thu Dec 7 21:00:28 2017 : Debug: literal --> (uid= Thu Dec 7 21:00:28 2017 : Debug: XLAT-IF { Thu Dec 7 21:00:28 2017 : Debug: attribute --> Stripped-User-Name Thu Dec 7 21:00:28 2017 : Debug: } Thu Dec 7 21:00:28 2017 : Debug: XLAT-ELSE { Thu Dec 7 21:00:28 2017 : Debug: attribute --> User-Name Thu Dec 7 21:00:28 2017 : Debug: } Thu Dec 7 21:00:28 2017 : Debug: literal --> ) Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: --> (uid=andrew.meyer) Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: EXPAND TMPL LITERAL Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Performing search in "cn=users,cn=accounts,dc=gatewayblend,dc=net" with filter "(uid=andrew.meyer)", scope "sub" Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Waiting for search result... Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: User object found at DN "uid=andrew.meyer,cn=users,cn=accounts,dc=gatewayblend,dc=net" Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Processing user attributes Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Attribute "userPassword" not found in LDAP object Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Attribute "radiusControlAttribute" not found in LDAP object Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Attribute "radiusRequestAttribute" not found in LDAP object Thu Dec 7 21:00:28 2017 : Debug: (35) ldap: Attribute "radiusReplyAttribute" not found in LDAP object Thu Dec 7 21:00:28 2017 : WARNING: (35) ldap: No "known good" password added. Ensure the admin user has permission to read the password attribute Thu Dec 7 21:00:28 2017 : WARNING: (35) ldap: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) Thu Dec 7 21:00:28 2017 : Debug: rlm_ldap (ldap): Released connection (10) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from ldap (rlm_ldap) Thu Dec 7 21:00:28 2017 : Debug: (35) [ldap] = ok Thu Dec 7 21:00:28 2017 : Debug: (35) if ((ok || updated) && User-Password) { Thu Dec 7 21:00:28 2017 : Debug: (35) if ((ok || updated) && User-Password) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling expiration (rlm_expiration) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from expiration (rlm_expiration) Thu Dec 7 21:00:28 2017 : Debug: (35) [expiration] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling logintime (rlm_logintime) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from logintime (rlm_logintime) Thu Dec 7 21:00:28 2017 : Debug: (35) [logintime] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: calling pap (rlm_pap) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authorize]: returned from pap (rlm_pap) Thu Dec 7 21:00:28 2017 : Debug: (35) [pap] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) } # authorize = updated Thu Dec 7 21:00:28 2017 : Debug: (35) Found Auth-Type = eap Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel Thu Dec 7 21:00:28 2017 : Debug: (35) authenticate { Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: calling eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Expiring EAP session with state 0x7ee913c27feb09b0 Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Finished EAP session with state 0x7ee913c27feb09b0 Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Previous EAP request found for state 0x7ee913c27feb09b0, released from the list Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Peer sent packet with method EAP MSCHAPv2 (26) Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Calling submodule eap_mschapv2 to process data Thu Dec 7 21:00:28 2017 : Debug: (35) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel Thu Dec 7 21:00:28 2017 : Debug: (35) eap_mschapv2: authenticate { Thu Dec 7 21:00:28 2017 : Debug: (35) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) Thu Dec 7 21:00:28 2017 : WARNING: (35) mschap: No Cleartext-Password configured. Cannot create NT-Password Thu Dec 7 21:00:28 2017 : WARNING: (35) mschap: No Cleartext-Password configured. Cannot create LM-Password Thu Dec 7 21:00:28 2017 : Debug: (35) mschap: Creating challenge hash with username: andrew.meyer Thu Dec 7 21:00:28 2017 : Debug: (35) mschap: Client is using MS-CHAPv2 Thu Dec 7 21:00:28 2017 : ERROR: (35) mschap: FAILED: No NT/LM-Password. Cannot perform authentication Thu Dec 7 21:00:28 2017 : ERROR: (35) mschap: MS-CHAP2-Response is incorrect Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: returned from mschap (rlm_mschap) Thu Dec 7 21:00:28 2017 : Debug: (35) [mschap] = reject Thu Dec 7 21:00:28 2017 : Debug: (35) } # authenticate = reject Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Sending EAP Failure (code 4) ID 2 length 4 Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Freeing handler Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: returned from eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = reject Thu Dec 7 21:00:28 2017 : Debug: (35) } # authenticate = reject Thu Dec 7 21:00:28 2017 : Debug: (35) Failed to authenticate the user Thu Dec 7 21:00:28 2017 : Debug: (35) Using Post-Auth-Type Reject Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel Thu Dec 7 21:00:28 2017 : Debug: (35) Post-Auth-Type REJECT { Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) Thu Dec 7 21:00:28 2017 : Debug: %{User-Name} Thu Dec 7 21:00:28 2017 : Debug: Parsed xlat tree: Thu Dec 7 21:00:28 2017 : Debug: attribute --> User-Name Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: EXPAND %{User-Name} Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: --> andrew.meyer Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Matched entry DEFAULT at line 11 Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: MS-CHAP-Error = "\002E=691 R=1 C=6bfbf7b2dac4da0509b000cb87f64dd1 V=3 M=Authentication failed" allowed by MS-CHAP-Error =* "" Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "MS-CHAP-Error" allowed by 1 rules, disallowed by 0 rules Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: EAP-Message = 0x04020004 allowed by EAP-Message =* 0x Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Message-Authenticator = 0x00000000000000000000000000000000 allowed by Message-Authenticator =* 0x Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) Thu Dec 7 21:00:28 2017 : Debug: (35) [attr_filter.access_reject] = updated Thu Dec 7 21:00:28 2017 : Debug: (35) update outer.session-state { Thu Dec 7 21:00:28 2017 : Debug: (35) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' Thu Dec 7 21:00:28 2017 : Debug: (35) } # update outer.session-state = noop Thu Dec 7 21:00:28 2017 : Debug: (35) } # Post-Auth-Type REJECT = updated Thu Dec 7 21:00:28 2017 : Debug: (35) } # server inner-tunnel Thu Dec 7 21:00:28 2017 : Debug: (35) Virtual server sending reply Thu Dec 7 21:00:28 2017 : Debug: (35) MS-CHAP-Error = "\002E=691 R=1 C=6bfbf7b2dac4da0509b000cb87f64dd1 V=3 M=Authentication failed" Thu Dec 7 21:00:28 2017 : Debug: (35) EAP-Message = 0x04020004 Thu Dec 7 21:00:28 2017 : Debug: (35) Message-Authenticator = 0x00000000000000000000000000000000 Thu Dec 7 21:00:28 2017 : Debug: (35) eap_ttls: Got tunneled Access-Reject Thu Dec 7 21:00:28 2017 : ERROR: (35) eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Sending EAP Failure (code 4) ID 8 length 4 Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Failed in EAP select Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[authenticate]: returned from eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = invalid Thu Dec 7 21:00:28 2017 : Debug: (35) } # authenticate = invalid Thu Dec 7 21:00:28 2017 : Debug: (35) Failed to authenticate the user Thu Dec 7 21:00:28 2017 : Debug: (35) Using Post-Auth-Type Reject Thu Dec 7 21:00:28 2017 : Debug: (35) # Executing group from file /etc/raddb/sites-enabled/default Thu Dec 7 21:00:28 2017 : Debug: (35) Post-Auth-Type REJECT { Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) Thu Dec 7 21:00:28 2017 : Debug: %{User-Name} Thu Dec 7 21:00:28 2017 : Debug: Parsed xlat tree: Thu Dec 7 21:00:28 2017 : Debug: attribute --> User-Name Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: EXPAND %{User-Name} Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: --> andrew.meyer Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Matched entry DEFAULT at line 11 Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: EAP-Message = 0x04080004 allowed by EAP-Message =* 0x Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Message-Authenticator = 0x00000000000000000000000000000000 allowed by Message-Authenticator =* 0x Thu Dec 7 21:00:28 2017 : Debug: (35) attr_filter.access_reject: Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) Thu Dec 7 21:00:28 2017 : Debug: (35) [attr_filter.access_reject] = updated Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: calling eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) eap: Reply already contained an EAP-Message, not inserting EAP-Failure Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: returned from eap (rlm_eap) Thu Dec 7 21:00:28 2017 : Debug: (35) [eap] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) policy remove_reply_message_if_eap { Thu Dec 7 21:00:28 2017 : Debug: (35) if (&reply:EAP-Message && &reply:Reply-Message) { Thu Dec 7 21:00:28 2017 : Debug: (35) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Thu Dec 7 21:00:28 2017 : Debug: (35) else { Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: calling noop (rlm_always) Thu Dec 7 21:00:28 2017 : Debug: (35) modsingle[post-auth]: returned from noop (rlm_always) Thu Dec 7 21:00:28 2017 : Debug: (35) [noop] = noop Thu Dec 7 21:00:28 2017 : Debug: (35) } # else = noop Thu Dec 7 21:00:28 2017 : Debug: (35) } # policy remove_reply_message_if_eap = noop Thu Dec 7 21:00:28 2017 : Debug: (35) } # Post-Auth-Type REJECT = updated Thu Dec 7 21:00:28 2017 : Debug: (35) Delaying response for 1.000000 seconds Thu Dec 7 21:00:28 2017 : Debug: Thread 4 waiting to be assigned a request Thu Dec 7 21:00:28 2017 : Debug: Waking up in 0.6 seconds. Thu Dec 7 21:00:29 2017 : Debug: (35) Sending delayed response Thu Dec 7 21:00:29 2017 : Debug: (35) Sent Access-Reject Id 249 from 10.1.6.160:1812 to 10.1.10.2:37381 length 44 Thu Dec 7 21:00:29 2017 : Debug: (35) EAP-Message = 0x04080004 Thu Dec 7 21:00:29 2017 : Debug: (35) Message-Authenticator = 0x00000000000000000000000000000000 Thu Dec 7 21:00:29 2017 : Debug: Waking up in 3.9 seconds. Thu Dec 7 21:00:33 2017 : Debug: (28) Cleaning up request packet ID 242 with timestamp +3225 Thu Dec 7 21:00:33 2017 : Debug: (29) Cleaning up request packet ID 243 with timestamp +3225 Thu Dec 7 21:00:33 2017 : Debug: (30) Cleaning up request packet ID 244 with timestamp +3225 Thu Dec 7 21:00:33 2017 : Debug: (31) Cleaning up request packet ID 245 with timestamp +3225 Thu Dec 7 21:00:33 2017 : Debug: (32) Cleaning up request packet ID 246 with timestamp +3225 Thu Dec 7 21:00:33 2017 : Debug: (33) Cleaning up request packet ID 247 with timestamp +3225 Thu Dec 7 21:00:33 2017 : Debug: (34) Cleaning up request packet ID 248 with timestamp +3225 Thu Dec 7 21:00:33 2017 : Debug: (35) Cleaning up request packet ID 249 with timestamp +3225 Thu Dec 7 21:00:33 2017 : Info: Ready to process requests Thank you in advance, Andrew
my config for default eap type shows pap under the EAP-TTLS section. and ttls for default_eap_type under the eap sections. So i'm guessing the macbook is trying to auth using mschapv2 and failing? On Thursday, December 7, 2017 3:15 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
I have EAP+TTLS setup to use PAP
your log appears to show an EAP-TTLS/MSCHAPv2 login attempt alan
This is weird, because I'm replicating the setup I have at my house with what I have at work. the only difference is the wireless networking hardware. Aruba vs Meraki. On Thursday, December 7, 2017 3:25 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: my config for default eap type shows pap under the EAP-TTLS section. and ttls for default_eap_type under the eap sections. So i'm guessing the macbook is trying to auth using mschapv2 and failing? On Thursday, December 7, 2017 3:15 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
I have EAP+TTLS setup to use PAP
your log appears to show an EAP-TTLS/MSCHAPv2 login attempt alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan Buxey -
Andrew Meyer