iOS devices don't authorize on wireless networks
Vahap Can Dulkadiroğlu
can.dulkadiroglu at samsun.edu.tr
Wed Apr 14 14:24:56 CEST 2021
But in this way, I provided authorization for wifi in windows, ubuntu and
android operating systems. I can not only do it for ios. I also verify with
ttls + pap, only ios now gives an error. How can I authorize wireless
networks as ttls + pap for iOS.
The full debug output for ber_get_next failed;
Debug: (17) ldap: User object found at DN
"uid=can.dulkadiroglu,ou=Users,dc=samsun,dc=edu,dc=tr"
Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Processing user attributes
Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Attribute "userPassword" not
found in LDAP object
Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Attribute
"radiusControlAttribute" not found in LDAP object
Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Attribute
"radiusRequestAttribute" not found in LDAP object
Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Attribute
"radiusReplyAttribute" not found in LDAP object
Mon Apr 12 04:17:39 2021 : WARNING: (17) ldap: No "known good" password
added. Ensure the admin user has permission to read the password attribute
Mon Apr 12 04:17:39 2021 : WARNING: (17) ldap: PAP authentication will
*NOT* work with Active Directory (if that is what you were trying to
configure)
Mon Apr 12 04:17:39 2021 : Debug: rlm_ldap (ldap): Released connection (0)
Mon Apr 12 04:17:39 2021 : Info: Need 1 more connections to reach min
connections (3)
Mon Apr 12 04:17:39 2021 : Info: rlm_ldap (ldap): Opening additional
connection (6), 1 of 30 pending slots used
Mon Apr 12 04:17:39 2021 : Debug: rlm_ldap (ldap): Connecting to ldaps://
ldap.google.com:636
Mon Apr 12 04:17:39 2021 : Debug: rlm_ldap (ldap): New libldap handle
0x5631da71dd60
Mon Apr 12 04:17:39 2021 : Debug: rlm_ldap (ldap): Waiting for bind
result...
ber_get_next failed.
Mon Apr 12 04:17:40 2021 : Debug: rlm_ldap (ldap): Bind successful
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: returned
from ldap (rlm_ldap)
Mon Apr 12 04:17:40 2021 : Debug: (17) [ldap] = ok
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: calling
expiration (rlm_expiration)
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: returned
from expiration (rlm_expiration)
Mon Apr 12 04:17:40 2021 : Debug: (17) [expiration] = noop
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: calling
logintime (rlm_logintime)
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: returned
from logintime (rlm_logintime)
Mon Apr 12 04:17:40 2021 : Debug: (17) [logintime] = noop
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: calling
pap (rlm_pap)
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: returned
from pap (rlm_pap)
Mon Apr 12 04:17:40 2021 : Debug: (17) [pap] = noop
Mon Apr 12 04:17:40 2021 : Debug: (17) if (User-Password) {
Mon Apr 12 04:17:40 2021 : Debug: (17) if (User-Password) -> FALSE
Mon Apr 12 04:17:40 2021 : Debug: (17) } # authorize = updated
Mon Apr 12 04:17:40 2021 : Debug: (17) Found Auth-Type = eap
Mon Apr 12 04:17:40 2021 : Debug: (17) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
Mon Apr 12 04:17:40 2021 : Debug: (17) authenticate {
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authenticate]:
calling eap (rlm_eap)
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Expiring EAP session with state
0x14605457166441b9
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Finished EAP session with state
0xca0fe817ca0eec20
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Previous EAP request found for
state 0xca0fe817ca0eec20, released from the list
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Peer sent packet with method
EAP MD5 (4)
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Calling submodule eap_md5 to
process data
Mon Apr 12 04:17:40 2021 : ERROR: (17) eap_md5: Cleartext-Password is
required for EAP-MD5 authentication
Mon Apr 12 04:17:40 2021 : ERROR: (17) eap: Failed continuing EAP MD5 (4)
session. EAP sub-module failed
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Sending EAP Failure (code 4) ID
1 length 4
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Failed in EAP select
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authenticate]:
returned from eap (rlm_eap)
Mon Apr 12 04:17:40 2021 : Debug: (17) [eap] = invalid
Mon Apr 12 04:17:40 2021 : Debug: (17) } # authenticate = invalid
Mon Apr 12 04:17:40 2021 : Debug: (17) Failed to authenticate the user
Mon Apr 12 04:17:40 2021 : Debug: (17) Using Post-Auth-Type Reject
Mon Apr 12 04:17:40 2021 : Debug: (17) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
Mon Apr 12 04:17:40 2021 : Debug: (17) Post-Auth-Type REJECT {
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter)
Mon Apr 12 04:17:40 2021 : Debug: %{User-Name}
Mon Apr 12 04:17:40 2021 : Debug: Parsed xlat tree:
Mon Apr 12 04:17:40 2021 : Debug: attribute --> User-Name
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: EXPAND
%{User-Name}
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: -->
can.dulkadiroglu
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Matched
entry DEFAULT at line 11
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject:
EAP-Message = 0x04010004 allowed by EAP-Message =* 0x
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Attribute
"EAP-Message" allowed by 1 rules, disallowed by 0 rules
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject:
Message-Authenticator = 0x00000000000000000000000000000000 allowed by
Message-Authenticator =* 0x
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Attribute
"Message-Authenticator" allowed by 1 rules, disallowed by 0 rules
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: returned
from attr_filter.access_reject (rlm_attr_filter)
Mon Apr 12 04:17:40 2021 : Debug: (17) [attr_filter.access_reject] =
updated
Mon Apr 12 04:17:40 2021 : Debug: (17) update outer.session-state {
Mon Apr 12 04:17:40 2021 : Debug: (17) &Module-Failure-Message :=
&request:Module-Failure-Message -> 'eap_md5: Cleartext-Password is required
for EAP-MD5 authentication'
Mon Apr 12 04:17:40 2021 : Debug: (17) } # update outer.session-state
= noop
Mon Apr 12 04:17:40 2021 : Debug: (17) } # Post-Auth-Type REJECT =
updated
Mon Apr 12 04:17:40 2021 : Auth: (17) Login incorrect (eap_md5:
Cleartext-Password is required for EAP-MD5 authentication):
[can.dulkadiroglu/<via Auth-Type = eap>] (from client localhost port 2 cli
fa33e5c54a33 via TLS tunnel)
Mon Apr 12 04:17:40 2021 : Debug: (17) } # server inner-tunnel
Mon Apr 12 04:17:40 2021 : Debug: (17) Virtual server sending reply
Mon Apr 12 04:17:40 2021 : Debug: (17) EAP-Message = 0x04010004
Mon Apr 12 04:17:40 2021 : Debug: (17) Message-Authenticator =
0x00000000000000000000000000000000
Mon Apr 12 04:17:40 2021 : Debug: (17) eap_ttls: Got tunneled Access-Reject
Mon Apr 12 04:17:40 2021 : ERROR: (17) eap: Failed continuing EAP TTLS (21)
session. EAP sub-module failed
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Sending EAP Failure (code 4) ID
6 length 4
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Failed in EAP select
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authenticate]:
returned from eap (rlm_eap)
Mon Apr 12 04:17:40 2021 : Debug: (17) [eap] = invalid
Mon Apr 12 04:17:40 2021 : Debug: (17) } # authenticate = invalid
Mon Apr 12 04:17:40 2021 : Debug: (17) Failed to authenticate the user
Mon Apr 12 04:17:40 2021 : Debug: (17) Using Post-Auth-Type Reject
Mon Apr 12 04:17:40 2021 : Debug: (17) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
Mon Apr 12 04:17:40 2021 : Debug: (17) Post-Auth-Type REJECT {
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter)
Mon Apr 12 04:17:40 2021 : Debug: %{User-Name}
Mon Apr 12 04:17:40 2021 : Debug: Parsed xlat tree:
Mon Apr 12 04:17:40 2021 : Debug: attribute --> User-Name
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: EXPAND
%{User-Name}
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: -->
can.dulkadiroglu
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Matched
entry DEFAULT at line 11
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject:
EAP-Message = 0x04060004 allowed by EAP-Message =* 0x
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Attribute
"EAP-Message" allowed by 1 rules, disallowed by 0 rules
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject:
Message-Authenticator = 0x00000000000000000000000000000000 allowed by
Message-Authenticator =* 0x
Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Attribute
"Message-Authenticator" allowed by 1 rules, disallowed by 0 rules
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: returned
from attr_filter.access_reject (rlm_attr_filter)
Mon Apr 12 04:17:40 2021 : Debug: (17) [attr_filter.access_reject] =
updated
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: calling
eap (rlm_eap)
Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Reply already contained an
EAP-Message, not inserting EAP-Failure
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: returned
from eap (rlm_eap)
Mon Apr 12 04:17:40 2021 : Debug: (17) [eap] = noop
Mon Apr 12 04:17:40 2021 : Debug: (17) policy
remove_reply_message_if_eap {
Mon Apr 12 04:17:40 2021 : Debug: (17) if (&reply:EAP-Message &&
&reply:Reply-Message) {
Mon Apr 12 04:17:40 2021 : Debug: (17) if (&reply:EAP-Message &&
&reply:Reply-Message) -> FALSE
Mon Apr 12 04:17:40 2021 : Debug: (17) else {
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]:
calling noop (rlm_always)
Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]:
returned from noop (rlm_always)
Mon Apr 12 04:17:40 2021 : Debug: (17) [noop] = noop
Mon Apr 12 04:17:40 2021 : Debug: (17) } # else = noop
Mon Apr 12 04:17:40 2021 : Debug: (17) } # policy
remove_reply_message_if_eap = noop
Mon Apr 12 04:17:40 2021 : Debug: (17) } # Post-Auth-Type REJECT = updated
Mon Apr 12 04:17:40 2021 : Auth: (17) Login incorrect (eap: Failed
continuing EAP TTLS (21) session. EAP sub-module failed):
[can.dulkadiroglu/<via Auth-Type = eap>] (from client localhost port 2 cli
fa33e5c54a33)
Mon Apr 12 04:17:40 2021 : Debug: (17) Delaying response for 1.000000
seconds
Mon Apr 12 04:17:40 2021 : Debug: Waking up in 0.5 seconds.
Mon Apr 12 04:17:41 2021 : Debug: (12) Cleaning up request packet ID 248
with timestamp +80
Mon Apr 12 04:17:41 2021 : Debug: (13) Cleaning up request packet ID 249
with timestamp +80
Mon Apr 12 04:17:41 2021 : Debug: (14) Cleaning up request packet ID 250
with timestamp +80
Mon Apr 12 04:17:41 2021 : Debug: Waking up in 0.3 seconds.
Mon Apr 12 04:17:41 2021 : Debug: (17) Sending delayed response
Mon Apr 12 04:17:41 2021 : Debug: (17) Sent Access-Reject Id 253 from
10.50.2.140:1812 to 10.50.2.166:58160 length 44
Mon Apr 12 04:17:41 2021 : Debug: (17) EAP-Message = 0x04060004
Mon Apr 12 04:17:41 2021 : Debug: (17) Message-Authenticator =
0x00000000000000000000000000000000
Mon Apr 12 04:17:41 2021 : Debug: Waking up in 2.6 seconds.
Mon Apr 12 04:17:44 2021 : Debug: (15) Cleaning up request packet ID 251
with timestamp +83
Mon Apr 12 04:17:44 2021 : Debug: (16) Cleaning up request packet ID 252
with timestamp +83
Mon Apr 12 04:17:44 2021 : Debug: Waking up in 1.3 seconds.
Mon Apr 12 04:17:45 2021 : Debug: (17) Cleaning up request packet ID 253
with timestamp +83
Mon Apr 12 04:17:45 2021 : Info: Ready to process requests
Vahap Can DULKADİROĞLU
*Bilgi İşlem Daire Başkanlığı **/ Elektronik ve Haberleşme Mühendisi*
*can.dulkadiroglu at samsun.edu.tr <can.dulkadiroglu at samsun.edu.tr>*
0(362) 313 00 55 - 1454
Canik Yerleşkesi Gürgenyatak Mahallesi Merkez Sokak No:40-2/1
CANİK/SAMSUN
www.samsun.edu.tr
*SAMSUN ÜNİVERSİTESİ*
*‘‘Nitelikli Toplum İçin, Nitelikli Üniversite’’*
Alan DeKok <aland at deployingradius.com>, 14 Nis 2021 Çar, 14:30 tarihinde
şunu yazdı:
> On Apr 14, 2021, at 2:21 AM, Vahap Can Dulkadiroğlu <
> can.dulkadiroglu at samsun.edu.tr> wrote:
> >
> > We are using google ldap. How will we solve this problem. Whatever I did,
> > this problem was not solved.--"The server doesn't have permission to read
> > the "known good" passwords from LDAP"
>
> It's Google. You can't.
>
> If you want to do WiFi authentication and use Google for LDAP, your
> choices are:
>
> a) TTLS + PAP
>
> b) no WiFi authentication
>
> c) don't use Google for LDAP
>
> That's it.
>
> > We also get this error. I don't know the meaning of this error.--"
> > ber_get_next failed."
>
> It depends... the full debug output would be useful.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list