Authentication with rlm_python module failes for iphone, works for android, windows, linux
The2nd
the2nd at otpme.org
Tue Jan 13 20:13:20 UTC 2026
Am 11.01.26 um 19:48 schrieb Alan DeKok via Freeradius-Users:
> On Jan 11, 2026, at 6:29 AM, The2nd <the2nd at otpme.org> wrote:
>> and it works for wlan authentication (mschapv2) with windows, linux and android devices. But it fails with iphone/ios. With iOS is see the request in my python module and it authenticates against my server successfully but the iPhone always tells me "Unable to join the network <ssid>".
> Does iOS work when you *don't* use your module? i.e. when you put a clear-text password into the configuration, and let FreeRADIUS do everything?
It worked when i used it with OTPme (the server i am writing) and the
otpme-auth tool as ntlm_auth replacement.
>
>> As it works with linux, windows and android i think its not completely wrong.
> There's likely some odd corner case you're missing, or the iOS device isn't configured correctly.
>
> Debug it with the normal FreeRADIUS configuration. That way you can narrow down where the problem is.
I was able to get the response freeradius sends when using it with my
ntml_auth replacement. And the only difference was, that the response
was uppercase hex. After changing my module to return uppercase too, it
works. Checking the RFC shows that the response MUST be uppercase.
>> ...
>> (9) Sent Access-Challenge Id 213 from 10.219.195.1:1812 to 10.219.195.225:38276 length 140
>> (9) EAP-Message = 0x012c0052190017030300472209ea55626d5ff1c5bfe6da41424c37ee71bb77118b8f1f51e7bdb050466709030848e8afe46e99cd47ef4337957aa870e14a5a42c006d97a017640d76c88fd54daf3585dae47
>> (9) Message-Authenticator = 0x00000000000000000000000000000000
>> (9) State = 0xac2b487aa50751714e974a6b4baa7cab
>> (9) Finished request
>> Waking up in 4.0 seconds.
> The iOS device doesn't like the response, and therefore stops talking to FreeRADIUS.
>
> To see exactly what it doesn't like, look at the debug logs on the device. And yes, generally there are no debug logs on the device. The vendors seem to hate their customers, and provide no way to debug anything.
>
> Alan DeKok.
Yes, a proper debug output on iOS could've saved me 3 hours or so...
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list