Resume failing on system reboot
Using freeradius 2.2.4_2 with an LDAP backend serving WPA enterprise wifi clients. I have an issue that I've been stuck on for days. Auth works just fine, but if say a user restarts his OS X Yosemite laptop on reboot it will report loss of network and fail to connect. Looking at radiusd.logs I see an endless loop of Access-Challenge responses but never an accept. Some time later it starts to work when trying to reconnect. What am I missing here? Below is the error and my configuration: ##### ERROR ##### ERROR rad_recv: Access-Request packet from host 10.1.0.6 port 39552, id=173, length=155 User-Name = "user1" NAS-IP-Address = 10.1.0.6 NAS-Port = 0 Called-Station-Id = "68-86-A7-FF-D0-02:RANDOMSSID" Calling-Station-Id = "3C-15-C2-B7-DC-80" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x0203000a01726c616e67 Message-Authenticator = 0xfda339f6e3f3854c5203dd14e0c5c9fc Info: # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/default Info: +group authorize { Info: ++[preprocess] = ok Info: ++[mschap] = noop Info: [ntdomain] No '\' in User-Name = "user1", looking up realm NULL Info: [ntdomain] No such realm "NULL" Info: ++[ntdomain] = noop Info: [eap] EAP packet type response id 3 length 10 Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Info: ++[eap] = updated Info: ++[expiration] = noop Info: ++[logintime] = noop Info: +} # group authorize = updated Info: Found Auth-Type = EAP Info: # Executing group from file /opt/local/etc/raddb/sites-enabled/default Info: +group authenticate { Info: [eap] EAP Identity Info: [eap] processing type tls Info: [tls] Flushing SSL sessions (of #0) Info: [tls] Initiate Info: [tls] Start returned 1 Info: ++[eap] = handled Info: +} # group authenticate = handled Sending Access-Challenge of id 173 to 10.1.0.6 port 39552 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x652be819652ff13421bf66d7088d793f Info: Finished request 0. Debug: Going to the next request Debug: Waking up in 4.9 seconds. Thu Nov 13 15:31:49 2014 : Info: Cleaning up request 0 ID 173 with timestamp +60 Thu Nov 13 15:31:49 2014 : Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Nov 13 15:31:49 2014 : Debug: WARNING: !! EAP session for state 0x652be819652ff134 did not finish! Thu Nov 13 15:31:49 2014 : Debug: WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility Thu Nov 13 15:31:49 2014 : Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Nov 13 15:31:49 2014 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.1.0.6 port 39552, id=171, length=155 User-Name = "user1" NAS-IP-Address = 10.1.0.6 NAS-Port = 0 Called-Station-Id = "68-86-A7-FF-D0-02:f" Calling-Station-Id = "3C-15-C2-B7-DC-80" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x0200000a01726c616e67 Message-Authenticator = 0x5713a7f5bda1676ee08343c46dcd5e6f Info: # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/default Info: +group authorize { Info: ++[preprocess] = ok Info: ++[mschap] = noop Info: [ntdomain] No '\' in User-Name = "user1", looking up realm NULL Info: [ntdomain] No such realm "NULL" Info: ++[ntdomain] = noop Info: [eap] EAP packet type response id 0 length 10 Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Info: ++[eap] = updated Info: ++[expiration] = noop Info: ++[logintime] = noop Info: +} # group authorize = updated Info: Found Auth-Type = EAP Info: # Executing group from file /opt/local/etc/raddb/sites-enabled/default Info: +group authenticate { Info: [eap] EAP Identity Info: [eap] processing type tls Info: [tls] Initiate Info: [tls] Start returned 1 Info: ++[eap] = handled Info: +} # group authenticate = handled Sending Access-Challenge of id 171 to 10.1.0.6 port 39552 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac737dcfac726477626749b4614c2b4e Info: Finished request 1. Debug: Going to the next request Debug: Waking up in 4.9 seconds. Info: Cleaning up request 1 ID 171 with timestamp +74 Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Debug: WARNING: !! EAP session for state 0xac737dcfac726477 did not finish! Debug: WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Info: Ready to process requests. rad_recv: Access-Request packet from host 10.1.0.6 port 39552, id=172, length=155 User-Name = "user1" NAS-IP-Address = 10.1.0.6 NAS-Port = 0 Called-Station-Id = "68-86-A7-FF-D0-02:RANDOMSSID" Calling-Station-Id = "3C-15-C2-B7-DC-80" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x0201000a01726c616e67 Message-Authenticator = 0x5a371b7db7a108196d1e06bf7805e0a3 Info: # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/default Info: +group authorize { Info: ++[preprocess] = ok Info: ++[mschap] = noop Info: [ntdomain] No '\' in User-Name = "user1", looking up realm NULL Info: [ntdomain] No such realm "NULL" Info: ++[ntdomain] = noop Info: [eap] EAP packet type response id 1 length 10 Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Info: ++[eap] = updated Info: ++[expiration] = noop Info: ++[logintime] = noop Info: +} # group authorize = updated Info: Found Auth-Type = EAP Info: # Executing group from file /opt/local/etc/raddb/sites-enabled/default Info: +group authenticate { Info: [eap] EAP Identity Info: [eap] processing type tls Info: [tls] Initiate Info: [tls] Start returned 1 Info: ++[eap] = handled Info: +} # group authenticate = handled Sending Access-Challenge of id 172 to 10.1.0.6 port 39552 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd3dbfc2fd3d9e5d577e0b0bda6fe6517 Info: Finished request 2. ##### CONFIGURATION ##### CONFIGURATION Debug: main { Debug: allow_core_dumps = no Debug: } Debug: including dictionary file /opt/local/etc/raddb/dictionary Debug: main { Debug: name = "radiusd" Debug: prefix = "/opt/local" Debug: localstatedir = "/opt/local/var" Debug: sbindir = "/opt/local/sbin" Debug: logdir = "/opt/local/var/log/radius" Debug: run_dir = "/opt/local/var/run/radiusd" Debug: libdir = "/opt/local/lib" Debug: radacctdir = "/opt/local/var/log/radius/radacct" Debug: hostname_lookups = no Debug: max_request_time = 30 Debug: cleanup_delay = 5 Debug: max_requests = 1024 Debug: pidfile = "/opt/local/var/run/radiusd/radiusd.pid" Debug: checkrad = "/opt/local/sbin/checkrad" Debug: debug_level = 0 Debug: proxy_requests = yes Debug: log { Debug: stripped_names = no Debug: auth = no Debug: auth_badpass = no Debug: auth_goodpass = no Debug: } Debug: security { Debug: max_attributes = 200 Debug: reject_delay = 1 Debug: status_server = yes Debug: } Debug: } Debug: radiusd: #### Loading Realms and Home Servers #### Debug: proxy server { Debug: retry_delay = 5 Debug: retry_count = 3 Debug: default_fallback = no Debug: dead_time = 120 Debug: wake_all_if_all_dead = no Debug: } Debug: home_server localhost { Debug: ipaddr = 127.0.0.1 Debug: port = 1812 Debug: type = "auth" Debug: secret = "testing123" Debug: response_window = 20 Debug: max_outstanding = 65536 Debug: require_message_authenticator = yes Debug: zombie_period = 40 Debug: status_check = "status-server" Debug: ping_interval = 30 Debug: check_interval = 30 Debug: num_answers_to_alive = 3 Debug: num_pings_to_alive = 3 Debug: revive_interval = 120 Debug: status_check_timeout = 4 Debug: coa { Debug: irt = 2 Debug: mrt = 16 Debug: mrc = 5 Debug: mrd = 30 Debug: } Debug: } Debug: home_server_pool my_auth_failover { Debug: type = fail-over Debug: home_server = localhost Debug: } Debug: realm example.com { Debug: auth_pool = my_auth_failover Debug: } Debug: realm LOCAL { Debug: } Debug: radiusd: #### Loading Clients #### Debug: client localhost { Debug: ipaddr = 127.0.0.1 Debug: require_message_authenticator = no Debug: secret = "testing123" Debug: nastype = "other" Debug: } Debug: client 10.1.0.5/32 { Debug: require_message_authenticator = no Debug: secret = "433natoma" Debug: shortname = "cisco_ap1" Debug: } Debug: client 10.1.0.6/32 { Debug: require_message_authenticator = no Debug: secret = "433natoma" Debug: shortname = "cisco_ap2" Debug: } Debug: radiusd: #### Instantiating modules #### Debug: instantiate { Debug: (Loaded rlm_exec, checking if it's valid) Debug: Module: Linked to module rlm_exec Debug: Module: Instantiating module "exec" from file /opt/local/etc/raddb/modules/exec Debug: exec { Debug: wait = no Debug: input_pairs = "request" Debug: shell_escape = yes Debug: timeout = 10 Debug: } Debug: (Loaded rlm_expr, checking if it's valid) Debug: Module: Linked to module rlm_expr Debug: Module: Instantiating module "expr" from file /opt/local/etc/raddb/modules/expr Debug: (Loaded rlm_expiration, checking if it's valid) Debug: Module: Linked to module rlm_expiration Debug: Module: Instantiating module "expiration" from file /opt/local/etc/raddb/modules/expiration Debug: expiration { Debug: reply-message = "Password Has Expired " Debug: } Debug: (Loaded rlm_logintime, checking if it's valid) Debug: Module: Linked to module rlm_logintime Debug: Module: Instantiating module "logintime" from file /opt/local/etc/raddb/modules/logintime Debug: logintime { Debug: reply-message = "You are calling outside your allowed timespan " Debug: minimum-timeout = 60 Debug: } Debug: } Debug: radiusd: #### Loading Virtual Servers #### Debug: server { # from file /opt/local/etc/raddb/radiusd.conf Debug: modules { Debug: Module: Creating Post-Auth-Type = REJECT Debug: Module: Checking authenticate {...} for more modules to load Debug: (Loaded rlm_chap, checking if it's valid) Debug: Module: Linked to module rlm_chap Debug: Module: Instantiating module "chap" from file /opt/local/etc/raddb/modules/chap Debug: (Loaded rlm_mschap, checking if it's valid) Debug: Module: Linked to module rlm_mschap Debug: Module: Instantiating module "mschap" from file /opt/local/etc/raddb/modules/mschap Debug: mschap { Debug: use_mppe = yes Debug: require_encryption = yes Debug: require_strong = yes Debug: with_ntdomain_hack = yes Debug: allow_retry = yes Debug: use_open_directory = yes Debug: } Debug: (Loaded rlm_eap, checking if it's valid) Debug: Module: Linked to module rlm_eap Debug: Module: Instantiating module "eap" from file /opt/local/etc/raddb/eap.conf Debug: eap { Debug: default_eap_type = "peap" Debug: timer_expire = 60 Debug: ignore_unknown_eap_types = no Debug: cisco_accounting_username_bug = no Debug: max_sessions = 4096 Debug: } Debug: Module: Linked to sub-module rlm_eap_md5 Debug: Module: Instantiating eap-md5 Debug: Module: Linked to sub-module rlm_eap_leap Debug: Module: Instantiating eap-leap Debug: Module: Linked to sub-module rlm_eap_gtc Debug: Module: Instantiating eap-gtc Debug: gtc { Debug: challenge = "Password: " Debug: auth_type = "PAP" Debug: } Debug: Module: Linked to sub-module rlm_eap_tls Debug: Module: Instantiating eap-tls Debug: tls { Debug: rsa_key_exchange = no Debug: dh_key_exchange = yes Debug: rsa_key_length = 512 Debug: dh_key_length = 512 Debug: verify_depth = 0 Debug: CA_path = "/opt/local/etc/raddb/certs" Debug: pem_file_type = yes Debug: private_key_file = "/opt/local/etc/raddb/certs/server.pem" Debug: certificate_file = "/opt/local/etc/raddb/certs/server.pem" Debug: CA_file = "/opt/local/etc/raddb/certs/ca.pem" Debug: private_key_password = "whatever" Debug: dh_file = "/opt/local/etc/raddb/certs/dh" Debug: fragment_size = 1024 Debug: include_length = yes Debug: check_crl = no Debug: cipher_list = "DEFAULT" Debug: make_cert_command = "/opt/local/etc/raddb/certs/bootstrap" Debug: ecdh_curve = "prime256v1" Debug: cache { Debug: enable = yes Debug: lifetime = 24 Debug: max_entries = 255 Debug: } Debug: verify { Debug: } Debug: ocsp { Debug: enable = no Debug: override_cert_url = yes Debug: url = "http://127.0.0.1/ocsp/" Debug: use_nonce = yes Debug: timeout = 0 Debug: softfail = no Debug: } Debug: } Debug: Module: Linked to sub-module rlm_eap_ttls Debug: Module: Instantiating eap-ttls Debug: ttls { Debug: default_eap_type = "md5" Debug: copy_request_to_tunnel = no Debug: use_tunneled_reply = no Debug: virtual_server = "inner-tunnel" Debug: include_length = yes Debug: } Debug: Module: Linked to sub-module rlm_eap_peap Debug: Module: Instantiating eap-peap Debug: peap { Debug: default_eap_type = "mschapv2" Debug: copy_request_to_tunnel = no Debug: use_tunneled_reply = no Debug: proxy_tunneled_request_as_eap = yes Debug: virtual_server = "inner-tunnel" Debug: soh = no Debug: } Debug: Module: Linked to sub-module rlm_eap_mschapv2 Debug: Module: Instantiating eap-mschapv2 Debug: mschapv2 { Debug: with_ntdomain_hack = no Debug: send_error = no Debug: } Debug: Module: Checking authorize {...} for more modules to load Debug: (Loaded rlm_preprocess, checking if it's valid) Debug: Module: Linked to module rlm_preprocess Debug: Module: Instantiating module "preprocess" from file /opt/local/etc/raddb/modules/preprocess Debug: preprocess { Debug: huntgroups = "/opt/local/etc/raddb/huntgroups" Debug: hints = "/opt/local/etc/raddb/hints" Debug: with_ascend_hack = no Debug: ascend_channels_per_line = 23 Debug: with_ntdomain_hack = no Debug: with_specialix_jetstream_hack = no Debug: with_cisco_vsa_hack = no Debug: with_alvarion_vsa_hack = no Debug: } Debug: reading pairlist file /opt/local/etc/raddb/huntgroups Debug: reading pairlist file /opt/local/etc/raddb/hints Debug: (Loaded rlm_realm, checking if it's valid) Debug: Module: Linked to module rlm_realm Debug: Module: Instantiating module "ntdomain" from file /opt/local/etc/raddb/modules/realm Debug: realm ntdomain { Debug: format = "prefix" Debug: delimiter = "\" Debug: ignore_default = no Debug: ignore_null = no Debug: } Debug: Module: Checking preacct {...} for more modules to load Debug: (Loaded rlm_acct_unique, checking if it's valid) Debug: Module: Linked to module rlm_acct_unique Debug: Module: Instantiating module "acct_unique" from file /opt/local/etc/raddb/modules/acct_unique Debug: acct_unique { Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" Debug: } Debug: Module: Instantiating module "suffix" from file /opt/local/etc/raddb/modules/realm Debug: realm suffix { Debug: format = "suffix" Debug: delimiter = "@" Debug: ignore_default = no Debug: ignore_null = no Debug: } Debug: (Loaded rlm_files, checking if it's valid) Debug: Module: Linked to module rlm_files Debug: Module: Instantiating module "files" from file /opt/local/etc/raddb/modules/files Debug: files { Debug: usersfile = "/opt/local/etc/raddb/users" Debug: acctusersfile = "/opt/local/etc/raddb/acct_users" Debug: preproxy_usersfile = "/opt/local/etc/raddb/preproxy_users" Debug: compat = "no" Debug: } Debug: reading pairlist file /opt/local/etc/raddb/users Debug: reading pairlist file /opt/local/etc/raddb/acct_users Debug: reading pairlist file /opt/local/etc/raddb/preproxy_users Debug: Module: Checking accounting {...} for more modules to load Debug: (Loaded rlm_detail, checking if it's valid) Debug: Module: Linked to module rlm_detail Debug: Module: Instantiating module "detail" from file /opt/local/etc/raddb/modules/detail Debug: detail { Debug: detailfile = "/opt/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" Debug: header = "%t" Debug: detailperm = 384 Debug: dirperm = 493 Debug: locking = no Debug: log_packet_header = no Debug: } Debug: (Loaded rlm_attr_filter, checking if it's valid) Debug: Module: Linked to module rlm_attr_filter Debug: Module: Instantiating module "attr_filter.accounting_response" from file /opt/local/etc/raddb/modules/attr_filter Debug: attr_filter attr_filter.accounting_response { Debug: attrsfile = "/opt/local/etc/raddb/attrs.accounting_response" Debug: key = "%{User-Name}" Debug: relaxed = no Debug: } Debug: reading pairlist file /opt/local/etc/raddb/attrs.accounting_response Debug: Module: Checking session {...} for more modules to load Debug: (Loaded rlm_radutmp, checking if it's valid) Debug: Module: Linked to module rlm_radutmp Debug: Module: Instantiating module "radutmp" from file /opt/local/etc/raddb/modules/radutmp Debug: radutmp { Debug: filename = "/opt/local/var/log/radius/radutmp" Debug: username = "%{User-Name}" Debug: case_sensitive = yes Debug: check_with_nas = yes Debug: perm = 384 Debug: callerid = yes Debug: } Debug: Module: Checking post-proxy {...} for more modules to load Debug: Module: Checking post-auth {...} for more modules to load Debug: Module: Instantiating module "attr_filter.access_reject" from file /opt/local/etc/raddb/modules/attr_filter Debug: attr_filter attr_filter.access_reject { Debug: attrsfile = "/opt/local/etc/raddb/attrs.access_reject" Debug: key = "%{User-Name}" Debug: relaxed = no Debug: } Debug: reading pairlist file /opt/local/etc/raddb/attrs.access_reject Debug: } # modules Debug: } # server Debug: server inner-tunnel { # from file /opt/local/etc/raddb/sites-enabled/inner-tunnel Debug: modules { Debug: Module: Checking authenticate {...} for more modules to load Debug: (Loaded rlm_pap, checking if it's valid) Debug: Module: Linked to module rlm_pap Debug: Module: Instantiating module "pap" from file /opt/local/etc/raddb/modules/pap Debug: pap { Debug: encryption_scheme = "auto" Debug: auto_header = no Debug: } Debug: (Loaded rlm_unix, checking if it's valid) Debug: Module: Linked to module rlm_unix Debug: Module: Instantiating module "unix" from file /opt/local/etc/raddb/modules/unix Debug: unix { Debug: radwtmp = "/opt/local/var/log/radius/radwtmp" Debug: } Debug: Module: Checking authorize {...} for more modules to load Debug: (Loaded rlm_ldap, checking if it's valid) Debug: Module: Linked to module rlm_ldap Debug: Module: Instantiating module "ldap" from file /opt/local/etc/raddb/modules/ldap Debug: ldap { Debug: server = "10.1.0.20" Debug: port = 389 Debug: password = "ykFeQcvhgWpEgT4nKekgZNmCyz8e" Debug: expect_password = yes Debug: identity = "cn=admin,dc=sirono,dc=com" Debug: net_timeout = 1 Debug: timeout = 4 Debug: timelimit = 3 Debug: max_uses = 0 Debug: tls_mode = no Debug: start_tls = no Debug: tls_require_cert = "allow" Debug: tls { Debug: start_tls = no Debug: require_cert = "allow" Debug: } Debug: basedn = "ou=people,dc=sirono,dc=com" Debug: filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" Debug: base_filter = "(objectclass=inetOrgPerson)" Debug: auto_header = no Debug: access_attr_used_for_allow = yes Debug: groupname_attribute = "cn" Debug: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" Debug: dictionary_mapping = "/opt/local/etc/raddb/ldap.attrmap" Debug: ldap_debug = 0 Debug: ldap_connections_number = 5 Debug: compare_check_items = no Debug: do_xlat = yes Debug: set_auth_type = no Debug: keepalive { Debug: idle = 60 Debug: probes = 3 Debug: interval = 3 Debug: } Debug: } Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap Debug: rlm_ldap: reading ldap<->radius mappings from file /opt/local/etc/raddb/ldap.attrmap Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password Debug: rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password Debug: rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message Debug: rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type Debug: rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type Debug: rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id Debug: conns: 0x7fe01ac55ea0 Debug: Module: Checking session {...} for more modules to load Debug: Module: Checking post-proxy {...} for more modules to load Debug: Module: Checking post-auth {...} for more modules to load Debug: } # modules Debug: } # server Debug: radiusd: #### Opening IP addresses and Ports #### Debug: listen { Debug: type = "auth" Debug: ipaddr = * Debug: port = 0 Debug: } Debug: listen { Debug: type = "acct" Debug: ipaddr = * Debug: port = 0 Debug: } Debug: listen { Debug: type = "control" Debug: listen { Debug: socket = "/opt/local/var/run/radiusd/radiusd.sock" Debug: } Debug: } Debug: listen { Debug: type = "auth" Debug: ipaddr = 127.0.0.1 Debug: port = 18120 Debug: }
On 13 Nov 2014, at 23:39, Joshua <mrl0lz@gmail.com> wrote:
if say a user restarts his OS X Yosemite laptop on reboot it will report loss of network and fail to connect.
If you're seeing an Access-Challenge message as the last packet in the conversation, then there are two possibilities: * The client is choosing not responding to the challenge * The client never receives the challenge In either case, you're looking in the wrong place - only your NAS or your supplicant can tell you which has happened (and why). Yosemite currently has a large number of issues relating to WiFi; I would avoid debugging this further until 10.10.1 is available, as you could find that it'll Just Work (R). Adam Bishop gpg: 0x6609D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 882 5529 90. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 614 9442 38. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Thanks for the quick response! I suspected something larger was at play here. I'll sit on it until the next OS X release On Thu, Nov 13, 2014 at 4:26 PM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On 13 Nov 2014, at 23:39, Joshua <mrl0lz@gmail.com> wrote:
if say a user restarts his OS X Yosemite laptop on reboot it will report loss of network and fail to connect.
If you're seeing an Access-Challenge message as the last packet in the conversation, then there are two possibilities: * The client is choosing not responding to the challenge * The client never receives the challenge
In either case, you're looking in the wrong place - only your NAS or your supplicant can tell you which has happened (and why).
Yosemite currently has a large number of issues relating to WiFi; I would avoid debugging this further until 10.10.1 is available, as you could find that it'll Just Work (R).
Adam Bishop
gpg: 0x6609D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 882 5529 90. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 614 9442 38. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Not to get too far down a tangent, but if this is happening after a resume, ISTR seeing it suggested that turning off bluetooth can help a similar problem on some chipsets. Definitely a client-side issue. Both Yosemite and Win 8.1 are not robust enterprise clients. That products from such major manufacturers can make it out to the field in this state is just crazy, and us admins have to hunker down and try to find workarounds before the pitchfork-wielding mobs of users find us, all the while hoping Apple or MS will fix their crap. ________________________________ From: freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org [freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org] on behalf of Joshua [mrl0lz@gmail.com] Sent: Thursday, November 13, 2014 7:41 PM To: FreeRadius users mailing list Subject: Re: Resume failing on system reboot Thanks for the quick response! I suspected something larger was at play here. I'll sit on it until the next OS X release On Thu, Nov 13, 2014 at 4:26 PM, Adam Bishop <Adam.Bishop@jisc.ac.uk<mailto:Adam.Bishop@jisc.ac.uk>> wrote: On 13 Nov 2014, at 23:39, Joshua <mrl0lz@gmail.com<mailto:mrl0lz@gmail.com>> wrote:
if say a user restarts his OS X Yosemite laptop on reboot it will report loss of network and fail to connect.
If you're seeing an Access-Challenge message as the last packet in the conversation, then there are two possibilities: * The client is choosing not responding to the challenge * The client never receives the challenge In either case, you're looking in the wrong place - only your NAS or your supplicant can tell you which has happened (and why). Yosemite currently has a large number of issues relating to WiFi; I would avoid debugging this further until 10.10.1 is available, as you could find that it'll Just Work (R). Adam Bishop gpg: 0x6609D460 jisc.ac.uk<http://jisc.ac.uk> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 882 5529 90. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 614 9442 38. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
try to find workarounds before the pitchfork-wielding mobs of users find us
Workaround = 22mm steel plate. The burning pitchfork mob may know where I am but they can't get to me. I just hope that my food and water supply last until Apple and MS have released working patch updates! ;) alan
participants (4)
-
Adam Bishop -
Alan Buxey -
Brian Julin -
Joshua