Apple clients suddenly can't authenticate to EAP-MSCHAPV2

Casartello, Thomas tomc at westfield.ma.edu
Sun Sep 2 16:14:46 CEST 2012


Thanks for the response. The issue seems to be linked to specific Cisco controllers. One set of our controllers is working fine. This issue isn't making any sense as the configuration on both controllers is identical as far as I can see. As far as the computer account it was just a basic account with no additional settings. I've had to do this before because the same person deleted the account on me and in the past I never had an issue. I was originally thinking maybe it was a cert problem and I updated the certificate chain on the server but it doesn’t appear to be cert related as if I take the device to a controller that’s working I have no problem (I did get a cert error as it appears my phone doesn’t have the most recent CA cert but when I accepted the cert it worked fine.) It's directly related to different controllers without exception. I'm going to have to talk to my network admin to see if something changed with our network gear. We also have basic LDAP authentication going on on a separate SSID that's processed through the radius server (regular PAP) and the same controllers appear to be having issues with that as well. On that I'm seeing radius send back an access-accept packet back to the controller but the controller still rejects the connection. I'm going to try to setup a new radius server on a different section of the network and see if those controllers react any differently.

-----Original Message-----
From: freeradius-users-bounces+tomc=westfield.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tomc=westfield.ma.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Sunday, September 02, 2012 2:52 AM
To: FreeRadius users mailing list
Subject: Re: Apple clients suddenly can't authenticate to EAP-MSCHAPV2

Casartello, Thomas wrote:
> Having a bizarre problem that started due to someone in my department 
> deleting the samba computer account for my freeradius machine. I 
> recreated it and for a time everything went back to normal, but later 
> that afternoon all of my apple clients can simply not connect to our 
> 802.1x enabled wireless network.

  That's what backups are for.  Re-creating the account doesn't mean it has the same configuration as before.

> We are using Cisco wireless
> controllers. Radiusd –X doesn’t seem to be giving me enough debug 
> output. Is there any suggestion as to drill down further to see what 
> is going on here. I am having no issues with my Windows 7 clients and 
> Windows mobile devices. Simply not getting enough information.
> Everything has been working fine for months and I don’t understand why 
> all of the sudden this is going on and why its only affecting Apple 
> IOS devices and iMacs so far. Here’s an example output.  This simply 
> loops over and over again:

  Well..

> rad_recv: Access-Request packet from host 172.20.9.253 port 32769, 
> id=63, length=228
...
>         EAP-Message = 0x0207000c016f636c61726b65

  That's an EAP identity message, for user "oclarke".

> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled

  That's all fine.

> Sending Access-Challenge of id 63 to 172.20.9.253 port 32769
> 
>         EAP-Message = 0x010800061920

  That's PEAP, and and empty PEAP packet, too.  That's wrong.

  Are you sure nothing else changed on the RADIUS server?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list