Apple clients suddenly can't authenticate to EAP-MSCHAPV2
tomc at westfield.ma.edu
Sun Sep 2 17:06:40 CEST 2012
Problem resolved....My network admin made a change to an outbound access list blocking the radius server from communicating with these controllers. He just undid it and it's working now...........
From: freeradius-users-bounces+tomc=westfield.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tomc=westfield.ma.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Sunday, September 02, 2012 2:52 AM
To: FreeRadius users mailing list
Subject: Re: Apple clients suddenly can't authenticate to EAP-MSCHAPV2
Casartello, Thomas wrote:
> Having a bizarre problem that started due to someone in my department
> deleting the samba computer account for my freeradius machine. I
> recreated it and for a time everything went back to normal, but later
> that afternoon all of my apple clients can simply not connect to our
> 802.1x enabled wireless network.
That's what backups are for. Re-creating the account doesn't mean it has the same configuration as before.
> We are using Cisco wireless
> controllers. Radiusd –X doesn’t seem to be giving me enough debug
> output. Is there any suggestion as to drill down further to see what
> is going on here. I am having no issues with my Windows 7 clients and
> Windows mobile devices. Simply not getting enough information.
> Everything has been working fine for months and I don’t understand why
> all of the sudden this is going on and why its only affecting Apple
> IOS devices and iMacs so far. Here’s an example output. This simply
> loops over and over again:
> rad_recv: Access-Request packet from host 172.20.9.253 port 32769,
> id=63, length=228
> EAP-Message = 0x0207000c016f636c61726b65
That's an EAP identity message, for user "oclarke".
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
That's all fine.
> Sending Access-Challenge of id 63 to 172.20.9.253 port 32769
> EAP-Message = 0x010800061920
That's PEAP, and and empty PEAP packet, too. That's wrong.
Are you sure nothing else changed on the RADIUS server?
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users