Hello everyone!
I am setting up an Freeradius Server and have got a problem.
When I try to authenticate with an MAC OS X towards the radius server with wrong username and password it denies me the first time the MAC tries to authenticate. The second time which it does automatically the logs in freeradius says it has denied it access a second time but gets a TLV failure and EAP-PEAP failure and the Mac succeeds in getting a connection towards my DHCP server and then it gets internet access.
If I try to do the same with an windows machine I cant get through how many times I even try. I also used a switch (wired) from netgear and used that as a NAS instead and then the MAC wasn´t able to get through to the DHCP server with wrong username and password.
Seems there is something wrong with the mikrotik, have someone heard about this kind of error before? My setup in the mikrotik when this succeeds is that the TLS mode is set to “no certificate”. When I use “dont verify certificate” i instead gets two windows in a row that asks for my username and password IF i use the correct username and password the first time i login, if i write incorrect username it stops asking about it and does not let me connect towards the network.
The hardware is a 175Mhz CPU with 512 MB HDD space, version 3.30
My signal is 6dB sending in all directions if that matter in someway?
I´ve tried to run both with hotspot enabled and disabled.
The authentication isnt mac based but portbased.
The network topology is like this.
FreeRadius server ↔ Netgear Switch(wired) ↔ Mikrotik ↔ end users.
The Netgear switch is just routing trafic atm since Mikrotik dont have dynamic VLAN assignment.
I trying to think of a way to handle about 50 different VLANs with about 10-20 end users in each VLAN.
Im doing this as a schoolproject so the demands is that it should be able to handle 50 VLANs and about 10-20 endusers in each VLAN.
Is there anyway to change a end user who is set to one VLAN to be changed into another in the mikrotik? My Netgear Switch have support for it but im not sure if you can do that in the same way between static VLANs in mikrotik.
If you are using dhcp with radius, that does not stop access to the network if it fails. It does not assign an ip. With Windows, this stops a connection because Windows issues a 169.x.x.x ip to the interface if the dhcp server does not respond.
To test, assign the Windows machine a static ip in the range of the dhcp sever. It should also get access.
What do you mean?
If you´re talking about dynamic vs. static ip addresses I can tell you that the Mac OSX machine is using dynamic ip address which means it also have to ask the DHCP for an Ip address, and it seems it gets connectio towards the DHCP server since it gets access towards Internet. So both the windows XP Machine and the Mac OSX machine is using dynamic ip adress.
Both may use dhcp, but the action each takes on fail is different. Windows assigns the 169.x.x.x ip, and OS-X may use the last assigned ip. Boot the Mac with the dhcp server disabled (or offline) and see what ip is assigned to the interface.
Once again, if the dhcp server fails to issue an ip address, that does not stop access. Try the static assignment on the Windows box, and you will get on the net with it also.
Hi! Thank you for your time. Found out that the problem was not that the Mac uses the last known working IP but it instead when you try to login towards the radius server and it fails to authenticate it tries to login with other “known” users. So if you have logged in with an account that it works to login with towards that SSID then you can count on that it will use that account when it fails to login with the one of your choice.
Is contacting the support for peap with wpa for OS X at the moment telling them about this security bug(since it is a bug) and will ask them if there is anything that can be done to inactivate that feature, that it uses other accounts that has been used to authenticate towards a radius server.
Once again thank you for your time regarding this matter.