Freeradius Auth Issues on Password Change
Alan DeKok
aland at deployingradius.com
Wed Feb 19 08:57:23 CET 2020
On Feb 19, 2020, at 5:11 AM, Damon McManus <d.mcmanus at swissport.com.au> wrote:
>
> I have been using freeradius for a while now in production and it was all
> working fine. It is authenticating against Active Directory using EAP and
> MSCHAP. Our network runs only Apple Macs. About twelve or eighteen
> months ago so Apple seemed to make a change to their wireless configuration
> (maybe the driver?) for newer macs . Since then we have had an issue when
> a user's password expires. The authentication seems to get into a loop of
> the following messages.
I use Macs and FreeRADIUS for authentication all of the time. It seems to work.
>
> (24) eap: Peer sent packet with method EAP Identity (1)
> (24) eap: Calling submodule eap_md5 to process data
> (24) eap_md5: Issuing MD5 Challenge
You probably want to change mods-enabled/eap, and set default_eap_type = peap
That will prevent it from doing MD5, NAKing it, and then doing PEAP.
Other than that, nothing else in the debug log looks wrong.
> If I forget the wireless network on the client OS and then reconnect it
> works fine. Can you experts see the error on the radius side or have you
> heard of this issue before? I recently upgraded the radius server (running
> Amazon Linux 2) from version 2 to version 3.0.13 but that hasn't seemed to
> have fixed it.
Then it's an Apple issue :(
Alan DeKok.
More information about the Freeradius-Users
mailing list