1st time authentication of a supplicant loops

Alan DeKok aland at deployingradius.com
Sun Nov 29 22:06:34 CET 2020 

On Nov 29, 2020, at 2:08 PM, Axel Rau <Axel.Rau at chaos1.de> wrote:
> I’m new to FreeRadius and working on a WLAN application with MikroTik NAS and dynamic VLANs.
> My supplicants are Apple devices (recent OS version on iMac and iPhone, 10.13 on a MacBook).
> When such a supplicant switches the WLAN to my test-WLAN and authenticates 1st time the authentication process loops and takes very long and fails sometimes totally.

  What does the debug log look like when that happens?

  The authentication process doesn't "loop".  If the device doesn't get authenticated, it might retry many times.  But that's a bit different.

> When I add a MAC-based entry of the device being tested to the username/password entry like so
> 	"D6:B5:E4:2A:3A:1C" Cleartext-Password := "D6:B5:E4:2A:3A:1C"
> it succeeds immediately (example appended).

  I don't think this is what fixes it.  See the debug output.

> This requirement makes it impossible for me to have a guest account, where the mac addresses are unknown.
> 
> I could provide a trace of such an unsuccessful authentication attempt, but I would prefer to provide it as attachment, because it will be very long.

  You only need to post one unsuccessful authentication attempt.  You don't need to post multiple retries.  The authentication attempt will either end in Access-Reject, *or* the client will start over from scratch.

> Any help greatly appreciated,
> Axel
> ps: the trace follows:

  Which is exactly what is needed to understand what's going on.

> (10) eap_peap: Got tunneled request
> (10) eap_peap:   EAP-Message = 0x020900491a02090044310718db4dc9454966aebc7874449472950000000000000000b3858f6a34c7d630f8912a1c043120a9bede5319ce142add00616a725f61745f6d6163626f6f6b
> (10) eap_peap: Setting User-Name to ajr_at_macbook
> (10) eap_peap: Sending tunneled request to inner-tunnel
> (10) eap_peap:   EAP-Message = 0x020900491a02090044310718db4dc9454966aebc7874449472950000000000000000b3858f6a34c7d630f8912a1c043120a9bede5319ce142add00616a725f61745f6d6163626f6f6b
> (10) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
> (10) eap_peap:   User-Name = "ajr_at_macbook"

  So the inner identity is *not* the MAC address.
> ...
> (10)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
> (10)     authorize {
> ...
> (10) files: users: Matched entry ajr_at_macbook at line 30
> (10)       [files] = ok

  Which is pretty clear.

  You have a name / password for the user in mods-config/files/authorize.  At line 30.

  The MAC address configuration you added either doesn't do anything, *or* it avoids some other configuration you added.  And that other configuration is what's breaking the server.

  The default configuration works if you just add a name / password to mods-config/files/authorize.  So what else did you change?

  Alan DeKok.

More information about the Freeradius-Users mailing list