MacOSX Leopard authentication with Freeradius
Jelle Langbroek
jml at orkz.net
Tue Jun 17 20:24:13 CEST 2008
Hi,
I'm using freeRadius 2.0.3 on my WLAN. I have WindowsXP, WindowsVista and
Apple (OSX) clients. Windows clients authenticate well with freeRadius but I
have problems with OSX Leopard. I can't figure out where the problem
originates from. I'm using MySQL, Cleartext-Passwords, PEAP auth,
WPA-Enterprise, AES. The error that pops up while authenticating OSX is the
following (see below for extended logs):
Tue Jun 17 20:02:53 2008 : Error: TLS Alert read:warning:close notify
Tue Jun 17 20:02:53 2008 : Auth: Login incorrect: [userX] (from client
NAS1-WiFi port 8 cli 001c34c14d76)
Does anybody have experience with OSX clients and freeRadius? Does anybody
have a radiusd and eap configuration file which is known to work with OSX
Leopard and could you post it to me?
Ofcourse I realise that the problem could be with the AP (WAP54G) or the
clients itself. I've done many hours of testing/reading though but can't
figure out what's causing it.
Ok, thanks for all your help!
gr, Jelle
Logs of "radiusd -X":
-> As you can see I use a littlebit of a hacked version of the SQL
implementation to use another MySQL table (integration with Lan Management
System), but that shouldn't matter. As I said, other clients authenticate
without problems.
User-Name = "userX"
NAS-IP-Address = 172.16.27.18
Called-Station-Id = "001a70abad32"
Calling-Station-Id = "001b63c13f76"
NAS-Identifier = "001a70abad32"
NAS-Port = 8
Framed-MTU = 1400
State = 0xeb256c65e8d575619976542f479f49d4
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02f0002f1980000000251503010020c5ac7365546396895a7fb74e2ab11d3ec7a8f2de0a7c761fda82cbd9f1a99de2
Message-Authenticator = 0x2f90d0e5a8325a3bf379f1243dda8195
+- entering group authorize
++[preprocess] returns ok
expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/172.16.27.18/auth-detail-20080617
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/172.16.27.18/auth-detail-20080617
expand: %t -> Tue Jun 17 20:17:07 2008
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "userX", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 240 length 47
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
expand: %{User-Name} -> userX
rlm_sql (sql): sql_set_user escaped user --> 'userX'
rlm_sql (sql): Reserving sql socket id: 0
expand: SELECT ownerid as id, username, 'Cleartext-Password' as
attribute, passwd as value, ':=' as op FROM nodes WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id,
username, 'Cleartext-Password' as attribute, passwd as value, ':=' as
op FROM nodes WHERE username = 'userX' ORDER
BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT ownerid as id, username, 'Cleartext-Password' as
attribute, passwd as value, ':=' as op FROM nodes WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id,
username, 'Cleartext-Password' as attribute, passwd as value, ':=' as
op FROM nodes WHERE username = 'userX' ORDER
BY id
expand: SELECT 'dynamic' as groupname FROM
customers WHERE name = '%{SQL-User-Name}' ORDER BY id ->
SELECT 'dynamic' as groupname FROM customers WHERE name
= 'userX' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 37
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], warning close_notify
TLS Alert read:warning:close notify
SSL Connection Established
rlm_eap_tls: Application Data
rlm_eap_peap: Tunneled data is invalid.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [userX/<via Auth-Type = EAP>] (from client NAS1-WiFi port 8
cli 001b63c13f76)
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
EAP-Message = 0x04f00004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 9 ID 0 with timestamp +33
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080617/306b57b8/attachment.html>
More information about the Freeradius-Users
mailing list