Freeradius Auth Issues on Password Change

Alan DeKok aland at
Wed Feb 19 08:57:23 CET 2020

On Feb 19, 2020, at 5:11 AM, Damon McManus <d.mcmanus at> wrote:
> I have been using freeradius for a while now in production and it was all
> working fine.  It is authenticating against Active Directory using EAP and
> MSCHAP.  Our network runs only Apple Macs.   About twelve or eighteen
> months ago so Apple seemed to make a change to their wireless configuration
> (maybe the driver?) for newer macs .  Since then we have had an issue when
> a user's password expires.  The authentication seems to get into a loop of
> the following messages.

  I use Macs and FreeRADIUS for authentication all of the time.  It seems to work.
> (24) eap: Peer sent packet with method EAP Identity (1)
> (24) eap: Calling submodule eap_md5 to process data
> (24) eap_md5: Issuing MD5 Challenge

  You probably want to change mods-enabled/eap, and set default_eap_type = peap

  That will prevent it from doing MD5, NAKing it, and then doing PEAP.

  Other than that, nothing else in the debug log looks wrong.

> If I forget the wireless network on the client OS and then reconnect it
> works fine.  Can you experts see the error on the radius side or have you
> heard of this issue before?  I recently upgraded the radius server (running
> Amazon Linux 2) from version 2 to version 3.0.13 but that hasn't seemed to
> have fixed it.

  Then it's an Apple issue :(

  Alan DeKok.

More information about the Freeradius-Users mailing list