Helpful ReplyHot!Radius authentication fails on mac devices

Author
Markus
Gold Member
  • Total Posts : 185
  • Scores: 18
  • Reward points: 0
  • Joined: 2015/03/19 07:30:23
  • Location: Switzerland
  • Status: offline
2019/03/18 08:11:12 (permalink) 5.6
0

Radius authentication fails on mac devices

Hi Pros,

I'm facing with a strange issue with iPhones and Macs.

We use Radius/WPA2 Enterprise Auth. for our SSID. If I connect the first time, the device get authenticated, but if I change the SSID and want connect back, it fails with wrong password.

On the radius server (Win), the Eventlog says ok (see Attachement) and debug looks ok too.
 
2019-03-1814:41:35 16495.283 b0:19:c6:b5:57:58 <eh> send 1/4 msg of 4-Way Handshake
2019-03-18 14:41:35 16495.283 b0:19:c6:b5:57:58 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=117 replay cnt 1
2019-03-18 14:41:35 16495.283 b0:19:c6:b5:57:58 <eh> IEEE 802.1X (EAPOL 121B) ==> b0:19:c6:b5:57:58 ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> IEEE 802.1X (EAPOL 121B) <== b0:19:c6:b5:57:58 ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> recv IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=117
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> recv EAPOL-Key 2/4 Pairwise replay cnt 1
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> send 3/4 msg of 4-Way Handshake
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=151 replay cnt 2
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> IEEE 802.1X (EAPOL 155B) ==> b0:19:c6:b5:57:58 ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b
2019-03-18 14:41:35 16495.289 b0:19:c6:b5:57:58 <eh> IEEE 802.1X (EAPOL 99B) <== b0:19:c6:b5:57:58 ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b
2019-03-18 14:41:35 16495.289 b0:19:c6:b5:57:58 <eh> recv IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=95
2019-03-18 14:41:35 16495.289 b0:19:c6:b5:57:58 <eh> recv EAPOL-Key 4/4 Pairwise replay cnt 2
2019-03-18 14:41:35 62897.289 b0:19:c6:b5:57:58 <dc> STA chg b0:19:c6:b5:57:58 vap itoTest ws (0-10.0.0.14:5246) rId 0 wId 4 bssid 4a:5b:0e:39:31:3b AUTH
2019-03-18 14:41:35 62897.289 b0:19:c6:b5:57:58 <cc> STA chg b0:19:c6:b5:57:58 vap itoTest ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b sec WPA2 USERGROUP auth 1 ******
2019-03-18 14:41:35 62897.289 b0:19:c6:b5:57:58 <cc> STA_CFG_REQ(192) sta b0:19:c6:b5:57:58 add key (len=16) ==> ws (0-10.0.0.14:5246) rId 0 wId 4
2019-03-18 14:41:35 62897.292 b0:19:c6:b5:57:58 <cc> STA_CFG_RESP(192) b0:19:c6:b5:57:58 <== ws (0-10.0.0.14:5246) rc 0 (Success)
2019-03-18 14:41:35 16495.292 b0:19:c6:b5:57:58 <eh> ***pairwise key handshake completed*** (RSN)
2019-03-18 14:41:35 62897.298 b0:19:c6:b5:57:58 <dc> DHCP Request server 0.0.0.0 <== host iPhone mac b0:19:c6:b5:57:58 ip 10.10.22.5 xId 5eb541e8
2019-03-18 14:41:35 62897.298 b0:19:c6:b5:57:58 <dc> DHCP Ack server 10.10.22.1 ==> host mac b0:19:c6:b5:57:58 ip 1.2.3.5 mask 255.255.255.0 gw 1.2.3.1 xId 5eb541e8

 
 
Any thoughts?

Thank you


post edited by Markus - 2019/04/11 00:13:45

Attached Image(s)

#1
seadave
Platinum Member
  • Total Posts : 315
  • Scores: 45
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: Radius authentication fails on mac devices 2019/04/11 20:03:10 (permalink) ☄ Helpfulby Markus 2019/04/11 23:32:25
0
Are your devices spoofing MAC addresses?  That is a common feature now.  Maybe it is using that as an identifier and the randomization causes it to be misidentified.  Just a guess.
 
https://www.theregister.co.uk/2017/03/10/mac_address_randomization/
 
#2
Markus
Gold Member
  • Total Posts : 185
  • Scores: 18
  • Reward points: 0
  • Joined: 2015/03/19 07:30:23
  • Location: Switzerland
  • Status: offline
Re: Radius authentication fails on mac devices 2019/04/11 23:32:04 (permalink)
0
Thank you for the hint. I'll go through this.
#3
Jump to:
© 2019 APG vNext Commercial Version 5.5