MacOSX Leopard authentication with Freeradius

Jelle Langbroek jml at orkz.net
Tue Jun 17 20:24:13 CEST 2008


Hi,

I'm using freeRadius 2.0.3 on my WLAN. I have WindowsXP, WindowsVista and
Apple (OSX) clients. Windows clients authenticate well with freeRadius but I
have problems with OSX Leopard. I can't figure out where the problem
originates from. I'm using MySQL, Cleartext-Passwords, PEAP auth,
WPA-Enterprise, AES. The error that pops up while authenticating OSX is the
following (see below for extended logs):

Tue Jun 17 20:02:53 2008 : Error: TLS Alert read:warning:close notify
Tue Jun 17 20:02:53 2008 : Auth: Login incorrect: [userX] (from client
NAS1-WiFi port 8 cli 001c34c14d76)

Does anybody have experience with OSX clients and freeRadius? Does anybody
have a radiusd and eap configuration file which is known to work with OSX
Leopard and could you post it to me?
Ofcourse I realise that the problem could be with the AP (WAP54G) or the
clients itself. I've done many hours of testing/reading though but can't
figure out what's causing it.

Ok, thanks for all your help!


gr, Jelle


Logs of "radiusd -X":
-> As you can see I use a littlebit of a hacked version of the SQL
implementation to use another MySQL table (integration with Lan Management
System), but that shouldn't matter. As I said, other clients authenticate
without problems.

        User-Name = "userX"
        NAS-IP-Address = 172.16.27.18
        Called-Station-Id = "001a70abad32"
        Calling-Station-Id = "001b63c13f76"
        NAS-Identifier = "001a70abad32"
        NAS-Port = 8
        Framed-MTU = 1400
        State = 0xeb256c65e8d575619976542f479f49d4
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x02f0002f1980000000251503010020c5ac7365546396895a7fb74e2ab11d3ec7a8f2de0a7c761fda82cbd9f1a99de2
        Message-Authenticator = 0x2f90d0e5a8325a3bf379f1243dda8195
+- entering group authorize
++[preprocess] returns ok
        expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/172.16.27.18/auth-detail-20080617
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/172.16.27.18/auth-detail-20080617
        expand: %t -> Tue Jun 17 20:17:07 2008
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 240 length 47
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
        expand: %{User-Name} -> userX
rlm_sql (sql): sql_set_user escaped user --> 'userX'
rlm_sql (sql): Reserving sql socket id: 0
        expand: SELECT ownerid as id, username, 'Cleartext-Password' as
attribute, passwd as value, ':=' as op           FROM nodes           WHERE
username = '%{SQL-User-Name}'           ORDER BY id -> SELECT ownerid as id,
username, 'Cleartext-Password' as attribute, passwd as value, ':=' as
op           FROM nodes           WHERE username = 'userX'           ORDER
BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT ownerid as id, username, 'Cleartext-Password' as
attribute, passwd as value, ':=' as op           FROM nodes           WHERE
username = '%{SQL-User-Name}'           ORDER BY id -> SELECT ownerid as id,
username, 'Cleartext-Password' as attribute, passwd as value, ':=' as
op           FROM nodes           WHERE username = 'userX'           ORDER
BY id
        expand: SELECT 'dynamic' as groupname           FROM
customers           WHERE name = '%{SQL-User-Name}'           ORDER BY id ->
SELECT 'dynamic' as groupname           FROM customers           WHERE name
= 'userX'           ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 37
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], warning close_notify
TLS Alert read:warning:close notify
SSL Connection Established
rlm_eap_tls: Application Data
  rlm_eap_peap: Tunneled data is invalid.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [userX/<via Auth-Type = EAP>] (from client NAS1-WiFi port 8
cli 001b63c13f76)
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
        EAP-Message = 0x04f00004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 9 ID 0 with timestamp +33
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080617/306b57b8/attachment.html>


More information about the Freeradius-Users mailing list