Radius authentication fails on mac devices

Markus · ‎03-18-2019

Hi Pros, I'm facing with a strange issue with iPhones and Macs. We use Radius/WPA2 Enterprise Auth. for our SSID. If I connect the first time, the device get authenticated, but if I change the SSID and want connect back, it fails with wrong password. On the radius server (Win), the Eventlog says ok (see Attachement) and debug looks ok too.

2019-03-1814:41:35 16495.283 b0:19:c6:b5:57:58 <eh> send 1/4 msg of 4-Way Handshake
2019-03-18 14:41:35 16495.283 b0:19:c6:b5:57:58 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=117 replay cnt 1
2019-03-18 14:41:35 16495.283 b0:19:c6:b5:57:58 <eh> IEEE 802.1X (EAPOL 121B) ==> b0:19:c6:b5:57:58 ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> IEEE 802.1X (EAPOL 121B) <== b0:19:c6:b5:57:58 ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> recv IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=117 
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> recv EAPOL-Key 2/4 Pairwise replay cnt 1
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> send 3/4 msg of 4-Way Handshake
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=151 replay cnt 2
2019-03-18 14:41:35 16495.286 b0:19:c6:b5:57:58 <eh> IEEE 802.1X (EAPOL 155B) ==> b0:19:c6:b5:57:58 ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b
2019-03-18 14:41:35 16495.289 b0:19:c6:b5:57:58 <eh> IEEE 802.1X (EAPOL 99B) <== b0:19:c6:b5:57:58 ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b
2019-03-18 14:41:35 16495.289 b0:19:c6:b5:57:58 <eh> recv IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=95 
2019-03-18 14:41:35 16495.289 b0:19:c6:b5:57:58 <eh> recv EAPOL-Key 4/4 Pairwise replay cnt 2
2019-03-18 14:41:35 62897.289 b0:19:c6:b5:57:58 <dc> STA chg b0:19:c6:b5:57:58 vap itoTest ws (0-10.0.0.14:5246) rId 0 wId 4 bssid 4a:5b:0e:39:31:3b AUTH
2019-03-18 14:41:35 62897.289 b0:19:c6:b5:57:58 <cc> STA chg b0:19:c6:b5:57:58 vap itoTest ws (0-10.0.0.14:5246) rId 0 wId 4 4a:5b:0e:39:31:3b sec WPA2 USERGROUP auth 1 ******
2019-03-18 14:41:35 62897.289 b0:19:c6:b5:57:58 <cc> STA_CFG_REQ(192) sta b0:19:c6:b5:57:58 add key (len=16) ==> ws (0-10.0.0.14:5246) rId 0 wId 4 
2019-03-18 14:41:35 62897.292 b0:19:c6:b5:57:58 <cc> STA_CFG_RESP(192) b0:19:c6:b5:57:58 <== ws (0-10.0.0.14:5246) rc 0 (Success) 
2019-03-18 14:41:35 16495.292 b0:19:c6:b5:57:58 <eh> ***pairwise key handshake completed*** (RSN)
2019-03-18 14:41:35 62897.298 b0:19:c6:b5:57:58 <dc> DHCP Request server 0.0.0.0 <== host iPhone mac b0:19:c6:b5:57:58 ip 10.10.22.5 xId 5eb541e8
2019-03-18 14:41:35 62897.298 b0:19:c6:b5:57:58 <dc> DHCP Ack server 10.10.22.1 ==> host mac b0:19:c6:b5:57:58 ip 1.2.3.5 mask 255.255.255.0 gw 1.2.3.1 xId 5eb541e8

Any thoughts? Thank you

________________________________________________________
--- NSE 4 ---
________________________________________________________

seadave · ‎04-11-2019

Are your devices spoofing MAC addresses? That is a common feature now. Maybe it is using that as an identifier and the randomization causes it to be misidentified. Just a guess.

https://www.theregister.co.uk/2017/03/10/mac_address_randomization/

View solution in original post

seadave · ‎04-11-2019

Are your devices spoofing MAC addresses? That is a common feature now. Maybe it is using that as an identifier and the randomization causes it to be misidentified. Just a guess.

https://www.theregister.co.uk/2017/03/10/mac_address_randomization/

Markus · ‎04-11-2019

Thank you for the hint. I'll go through this.

________________________________________________________
--- NSE 4 ---
________________________________________________________