Friday, July 10, 2009

OS X Bug : 802.1x TTLS defaults to CHAP even if changed to PAP

While configuring freeradius I uncovered a nasty Mac OS X bug. My goal is/was to authenticate Mac OS X (leopard) to WPA2 using RADIUS configured to authenticate to LDAP (over EAP+TTLS+PAP).

Scenario #1 (broken)

When I get within range of a WPA2 EAP+TTLS+PAP WIFI connection I am prompted to login. If I try my login, it will fail because I have not configured 802.1x to use TTLS+PAP which is expected. If I then try to configure TTLS to use PAP using the 802.1x configuration dialogs, it will display "PAP" in the configuration dialog but it will not actually use PAP, it will continue to try to use its default CHAP authentication inside of TTLS. I am then never able to connect to this access point without deleting it and starting over (as below).

Scenario #2 (working)

However, if, with my wireless card turned off, I configure 802.1x authentication profile in advance of connecting to the same access point. Then turn on my wireless card. Then instead of entering my user/pass when prompted select "Join Other Network" and manually assign the new and correct 802.1x profile to the new wifi connection. It works as expected. It was nontrivial to track down this problem. I am using freeradius and found that despite having PAP listed under TTLS the following was logged:
MS-CHAP-Challenge = 0x...
MS-CHAP2-Response = 0x...
I have deliberately not enabled CHAP in my freeradius configuration so I knew something was up. After I finally got it working (using scenario #2), those two MS-CHAP log entries disappeared. A few of the freeradius log messages that were symptoms of the problem are as follows (in hopes that others may find this post):
pap No clear-text password in the request. Not performing PAP.
...
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.

No comments: