Apple clients suddenly can't authenticate to EAP-MSCHAPV2
Casartello, Thomas
tomc at westfield.ma.edu
Sun Sep 2 03:33:51 CEST 2012
Having a bizarre problem that started due to someone in my department deleting the samba computer account for my freeradius machine. I recreated it and for a time everything went back to normal, but later that afternoon all of my apple clients can simply not connect to our 802.1x enabled wireless network. We are using Cisco wireless controllers. Radiusd -X doesn't seem to be giving me enough debug output. Is there any suggestion as to drill down further to see what is going on here. I am having no issues with my Windows 7 clients and Windows mobile devices. Simply not getting enough information. Everything has been working fine for months and I don't understand why all of the sudden this is going on and why its only affecting Apple IOS devices and iMacs so far. Here's an example output. This simply loops over and over again:
rad_recv: Access-Request packet from host 172.20.9.253 port 32769, id=63, length=228
User-Name = "oclarke"
Calling-Station-Id = "10-40-f3-27-b9-83"
Called-Station-Id = "00-1f-c9-ff-8a-d0:s-wsc"
NAS-Port = 29
Cisco-AVPair = "audit-session-id=ac1409fd000000085042b3cc"
NAS-IP-Address = 172.20.9.253
NAS-Identifier = "diller-wism-b"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "891"
EAP-Message = 0x0207000c016f636c61726b65
Message-Authenticator = 0x6015385c05fd07141cd27b2bd7d4452a
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "oclarke", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "oclarke", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "oclarke", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 7 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 216
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 63 to 172.20.9.253 port 32769
EAP-Message = 0x010800061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0ca5d3010cadca632a899d669d6fd38b
Finished request 218.
Going to the next request
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120902/0b477a04/attachment.html>
More information about the Freeradius-Users
mailing list