Freeradius on OS X with OD, password attribute is not checked

Stepan Raichl stepan at
Thu Oct 26 20:50:02 CEST 2006

Hi all,

I'm setting up a wireless network where users use login details provided 
by OpenDirectory + certificate. The goal is that user of the WiFi 
network must provide certificate and username with password. If the user 
is disabled in OD (via WGM - access account thick box), user must not 
access the network.

My setup:

OSX 10.4.8 Server, OpenDirectory, freeRADIUS, ZyWall 35 with WiFi AP 
using WPA Ent.

Clients: 99.9% Mac OSX 10.4.8

I got all setup, freeRADIUS 1.1.3 running, certificates, but I can't get 
the freeRADIUS to check the user password from OD.

Using radtest, I have no problems:
Sending Access-Request of id 123 to port 1812
User-Name = "12345"
User-Password = "12345"
NAS-IP-Address =
NAS-Port = 2
rad_recv: Access-Accept packet from host, id=123, length=20

However, when a client from WiFi logs in, username and certificate are 
the only criteria which are checked to grant access. If you can help, 
please read the debug dump below.

It seems that RADIUS has managed to decrypt the password and adds it to 

rlm_ldap: Added password ******** in check items

... but then the access is granted anyway ... doesn't matter what you 
write in the password :-(

To achieve my goals, am I using the correct method (EAP-TLS)? When using 
unecrypted connection, I can clearly see the password attribute, but 
that defeats the whole purpose of WPA ...

I hope you guys don't mind that I dumped bits of my log & conf into this 
forum, I'm getting very frustrated ...

I have already added userPassword as User-Password ...

RADIUS reply to connection using certificate:

rad_recv: Access-Request packet from host, id=16, 
User-Name = "12345"
NAS-IP-Address =
NAS-Identifier = "zywall"
Framed-MTU = 1496
Called-Station-Id = "00-11-22-33-44-55-66-77:Test Test"
Calling-Station-Id = "00-11-22-33-44-55"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b00060d00
State = 0xa5e4df76eacd676aa056b162e018e148
Message-Authenticator = 0x55082c87332500d61cb52cd8ca640361
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
rlm_eap: EAP packet type response id 11 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 12345
radius_xlat: '(uid=12345)'
radius_xlat: 'dc=st,dc=ln'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=st,dc=ln, with filter (uid=12345)
rlm_ldap: checking if remote access for 12345 is allowed by uid
rlm_ldap: Added password ******** in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value ******** & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user 12345 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 9
modcall: leaving group authorize (returns updated) for request 9
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 9
modcall: leaving group authenticate (returns ok) for request 9
Sending Access-Accept of id 16 to port 1131
MS-MPPE-Recv-Key = 
MS-MPPE-Send-Key = 
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "12345"
Finished request 9

 From radiusd.conf:


ldap {
server = ""
basedn = "dc=st,dc=ln"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
password_attribute = userPassword

authorize {


authenticate {

  Auth-Type PAP {

  Auth-Type CHAP {

  Auth-Type MS-CHAP {
  Auth-Type LDAP {

I have also added "checkItem User-Password userPassword" to ldap.attrmap.

Please please help, many thanks in advance!!!!


More information about the Freeradius-Users mailing list