RE: Mac PEAP authentication with FreeRADIUS Pre2.0
-Original Message- On your Mac (as root), create the directory /var/log/ eapolclient, then retry your authentication. The EAP client is OS X should write out debugging information for the EAP session into that directory and should give you a better idea of why its halting. Man, it's hard to enable root on OSX. Anyways, I get a file called uid501-en1.log It's empty. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mac PEAP authentication with FreeRADIUS Pre2.0
-Original Message- So if 1.1.3 works, and 1.1.4 doesn't, that's the issue. Anyone got 1.1.4 and Mac authenticating? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac PEAP authentication with FreeRADIUS Pre2.0
I'll take another look a little later to see if there's something else you have to do. It's been a while since I did this. --Mike On Feb 2, 2007, at 9:00 AM, King, Michael wrote: -Original Message- On your Mac (as root), create the directory /var/log/ eapolclient, then retry your authentication. The EAP client is OS X should write out debugging information for the EAP session into that directory and should give you a better idea of why its halting. Man, it's hard to enable root on OSX. Anyways, I get a file called uid501-en1.log It's empty. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mac PEAP authentication with FreeRADIUS Pre2.0
-Original Message- When I try a Mac (PowerMac 10.4.8, but have tried also on 10.3.x), it seems to not work. The Mac throws an error 802.1x Authentication has failed. After more testing, and staring at the debug's, it seems this is where the break-down is, the MAC isn't answering the tunneled-Access Challenge. Least, this is what I'm thinking. (This is a different debug) modcall: entering group authenticate for request 23 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 23 rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for mking with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=mking' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 94 radius_xlat: '--challenge=4ebfbb2c2373c4c9' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=a53b88d2b14aead7f697498aa066c2d02e79c3d0a6e84427' Exec-Program output: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B Exec-Program-Wait: plaintext: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 23 modcall: group MS-CHAP returns ok for request 23 MSCHAP Success modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 PEAP: Got tunneled reply RADIUS code 11 MS-CHAP2-Success = 0x0d533d653336623733383162623839396432613066613365653564683130363161 6663303239326336 EAP-Message = 0x010e00331a030d002e533d653336623733383162623839396432613066613365653564 6831303631616663303239326336 Message-Authenticator = 0x State = 0xfd5c09024628badca09e5ae9eec682e7 PEAP: Processing from tunneled session code 0x81c1788 11 MS-CHAP2-Success = 0x0d533d653336623733383162623839396432613066613365653564683130363161 6663303239326336 EAP-Message = 0x010e00331a030d002e533d653336623733383162623839396432613066613365653564 6831303631616663303239326336 Message-Authenticator = 0x State = 0xfd5c09024628badca09e5ae9eec682e7 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 Sending Access-Challenge of id 4 to 10.0.1.22 port 32769 EAP-Message = 0x010e005b1900170301005075b366b0bc3665ce9cc4c3bb5d4907020fce14dcf06c5ffb cdc725c126803bd0de38918995021346758fc00ed823cc7b13be5d69ed780a80ac04bfcb 9cb85dee2ab382e8b88b3a7b7cdccfc227583867 Message-Authenticator = 0x State = 0xf3f735fa7f444b2ef47757092fcbef29 Finished request 23 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 16 ID 253 with timestamp 45c257be Cleaning up request 20 ID 1 with timestamp 45c257be Cleaning up request 22 ID 3 with timestamp 45c257be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac PEAP authentication with FreeRADIUS Pre2.0
Yes, it looks like your Mac may not like the MSCHAPv2 response for some reason. On your Mac (as root), create the directory /var/log/ eapolclient, then retry your authentication. The EAP client is OS X should write out debugging information for the EAP session into that directory and should give you a better idea of why its halting. --Mike On Feb 1, 2007, at 3:21 PM, King, Michael wrote: -Original Message- When I try a Mac (PowerMac 10.4.8, but have tried also on 10.3.x), it seems to not work. The Mac throws an error 802.1x Authentication has failed. After more testing, and staring at the debug's, it seems this is where the break-down is, the MAC isn't answering the tunneled-Access Challenge. Least, this is what I'm thinking. (This is a different debug) modcall: entering group authenticate for request 23 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 23 rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for mking with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=mking' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 94 radius_xlat: '--challenge=4ebfbb2c2373c4c9' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=a53b88d2b14aead7f697498aa066c2d02e79c3d0a6e84427' Exec-Program output: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B Exec-Program-Wait: plaintext: NT_KEY: 1BA2159EDC0597637BA8848B83AA9B2B Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 23 modcall: group MS-CHAP returns ok for request 23 MSCHAP Success modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 PEAP: Got tunneled reply RADIUS code 11 MS-CHAP2-Success = 0x0d533d6533366237333831626238393964326130666133656535646831303631 61 6663303239326336 EAP-Message = 0x010e00331a030d002e533d6533366237333831626238393964326130666133656535 64 6831303631616663303239326336 Message-Authenticator = 0x State = 0xfd5c09024628badca09e5ae9eec682e7 PEAP: Processing from tunneled session code 0x81c1788 11 MS-CHAP2-Success = 0x0d533d6533366237333831626238393964326130666133656535646831303631 61 6663303239326336 EAP-Message = 0x010e00331a030d002e533d6533366237333831626238393964326130666133656535 64 6831303631616663303239326336 Message-Authenticator = 0x State = 0xfd5c09024628badca09e5ae9eec682e7 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 Sending Access-Challenge of id 4 to 10.0.1.22 port 32769 EAP-Message = 0x010e005b1900170301005075b366b0bc3665ce9cc4c3bb5d4907020fce14dcf06c5f fb cdc725c126803bd0de38918995021346758fc00ed823cc7b13be5d69ed780a80ac04bf cb 9cb85dee2ab382e8b88b3a7b7cdccfc227583867 Message-Authenticator = 0x State = 0xf3f735fa7f444b2ef47757092fcbef29 Finished request 23 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 16 ID 253 with timestamp 45c257be Cleaning up request 20 ID 1 with timestamp 45c257be Cleaning up request 22 ID 3 with timestamp 45c257be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac PEAP authentication with FreeRADIUS Pre2.0
King, Michael wrote: After more testing, and staring at the debug's, it seems this is where the break-down is, the MAC isn't answering the tunneled-Access Challenge. Version 1.1.4 (and the CVS head) have a patch applied that makes it do MS-CHAP more correctly. This may be the issue, if the MACs don't expect that. So if 1.1.3 works, and 1.1.4 doesn't, that's the issue. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
