Unable to authenticate to 10.5.4 open directory

Ivan Kalik tnt at kalik.net
Tue Sep 2 10:44:16 CEST 2008


You are using outdated version of the server which doesn't support
virtual servers. In current version eap is processed by the default
virtual server while inner tunnel is processed by - inner-tunnel virtual
server. If you don't want to upgrade you can emulate this by using -
real ones.

Set up another radius server with identical configuration which will
process inner tunnel requests. Add realm inner-tunnel to the current
server proxy.conf which will proxy requests to the new server. Add this
to users file:

DEFAULT   FreeRADIUS-Proxied-To = 127.0.0.1, Proxy-To-Realm :=
"inner-tunnel"

In that way stripped username will be sent to inner-tunnel server for
authentication (which you have showed to work). You can't simply
rewrite User-Name with Stripped-User-Name in your current setup because
EAP will fail.

Ivan Kalik
Kalik Informatika ISP


Dana 1/9/2008, "Thomas von Eyben" <thomasvoneyben at gmail.com> piše:

>I have now done a lot of debugging with my OS X Server + Open
>Directory Users setup:
>
>Using an Apple Access Point AND using Apple's Server Admin management
>tool to configure radiusd I am able to authenticate to Open Directory
>users BUT only when I provide my shortname without the realm/domain
>name.
>EG Authenticating as user "u1" works, but authenticating as user
>"u1 at voneyben.net" does not work.
>
>I now know that it IS possible to authenticate towards OD :)
>Unfortunately I am unable to figure out how to change the
>configuration to solve my problem authenticating users like
>"u1 at voneyben.net"
>
>A complete debug is available here:
>http://voneyben.net/radius/auth-u1-ok.txt
>http://voneyben.net/radius/auth-u1@voneyben.net-bad.txt
>
>When authenticating ("u1") is done correctly this part looks interesting:
>    rlm_realm: No '@' in User-Name = "u1", looking up realm NULL
>    rlm_realm: Found realm "NULL"
>    rlm_realm: Adding Stripped-User-Name = "u1"
>    rlm_realm: Proxying request from user u1 to realm NULL
>    rlm_realm: Adding Realm = "NULL"
>    rlm_realm: Authentication realm is LOCAL.
>
>When authenticating (u1 at voneyben.net) is going bad this part looks interesting:
> modcall[authorize]: module "mschap" returns noop for request 0
>    rlm_realm: Looking up realm "voneyben.net" for User-Name = "u1 at voneyben.net"
>    rlm_realm: Found realm "voneyben.net"
>    rlm_realm: Adding Stripped-User-Name = "u1"
>    rlm_realm: Proxying request from user u1 to realm voneyben.net
>    rlm_realm: Adding Realm = "voneyben.net"
>    rlm_realm: Authentication realm is LOCAL.
>
>
>So how do I modify proxy.conf to get the "u1 at voneyben.net" to be
>handled the same way as "u1", meaning to get Apple's Open Directory to
>do it's thing :)
>
>Currently the realm in proxy.conf looks like this:
>realm voneyben.net {
>       type            = radius
>       authhost        = LOCAL
>       accthost        = LOCAL
>}
>
>The complete config files are available here;
>http://voneyben.net/radius/proxy.conf
>http://voneyben.net/radius/radiusd.conf
>http://voneyben.net/radius/eap.conf
>
>And - to save a lot of scrolling  - without the comments:
>http://voneyben.net/radius/proxy-no-comments.conf
>http://voneyben.net/radius/radiusd-no-comments.conf
>http://voneyben.net/radius/eap-no-comments.conf
>
>- TvE
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list