PEAP/mschapv2 - opendirectory

Kemal YILDIRIM kemaly at
Mon Nov 14 21:40:39 CET 2011

Hello all,
I've just able to implemented Wired 802.1x system with PEAP/mschapv2 authentication against opendirectory which is running on MacOSX server 10.6.8 Leopard.
At the end I have a "working" setup, but I like to learn more to fix my faults.
below you can find my study steps and config changes
And these are my question regarding to the following outputs.
Q1- Is it possible to get radius attributes with opendirectory module ( not well documented)? if yes, please share your experience.
Q2- I am not sure what is happining during below mschap challenge/response.
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] No NT-Password configured. Trying OpenDirectory Authentication.
[mschap] OD username_string = onex, OD shortUserName=onex (length = 4) 
[mschap] dsDoDirNodeAuth returns stepbuff: S=D134BC291881FAF31275724FE84FEA40648F64C6 (len=40) 
++[mschap] returns ok
MSCHAP Success 
1. Testbed:
Auth Server	: FreeRadius 2.1.3 running on MacOSX 10.6.8 Leopard, other services: opendirectory (openLDAP), Kerberos, DNS, DHCP
Authenticator	: HP Networking 2910 switchSupplicants	: WindowsXPsp3, Windows7, MacOSX (PEAP/mschapv2)Directory Admin	: diradmin
Test User		: onex
authentication 	: opendirectory (mschap module is calling opendirectory module for challenge response)
authorization	: by ldap search in post-auth section inside of inner-tunnel server.
authorization	: settings are Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-Id (by ldap search)
sql client db	: Mac OSX serveradmin GUI have an access to configure radius clients (max count is 64), I am not using clients.conf
as I understood Mac OSX server actually using openLDAP, but Apple named it as "opendirectory" by restricting and changing of access medhods.
There was no radius schema file in Apple's distribution of FreeRadius, or at least I could not find it where it normally would be. So, downloaded the schema file and extended it manually.
2. LDAP schema extention and creating radius attributes for 802.1x
include /etc/openldap/schema/radius.schema
slaptest -f slapd.conf -F slapd.d
dn: cn={10}radius
restart host or restart slapd
cd LDAPv3
auth diradmin abc123
create . radiusTunnelPrivateGroupId 10
cd ..
cd vlan20
create . radiusTunnelPrivateGroupId 20
I will set Tunnel-Type and Tunnel-Medium-Type statically in post-auth section, radiusTunnelPrivateGroupId attribute is sufficiant in LDAP.
3. Radius config
Non-default or changed parameters are written here.
LDAP module will not be used for authentication, will be used only to set radiusTunnelPrivateGroupId
Authentication would be done through opendirectory module by mschap call.
MacOSX issue :  without Apple base stations Radius service could not be started from serveradmin GUI
			need to be fixed by deleting some lines regarding BaseStation check in the following file.
ldap {
        server = ""
        identity = "uid=diradmin,cn=users,dc=radsrv,dc=lab,dc=com"
        password = abc123
        basedn = "dc=radsrv,dc=lab,dc=com"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"                    // In my test only User-Name is used 
        base_filter = "(objectclass=radiusprofile)"
set_auth_type = no 	// As I know LDAP only working with pap authentication
        Tunnel-Type == VLAN,
        Tunnel-Medium-Type == IEEE-802,
        Tunnel-Private-Group-Id =* ANY,
checkItem       User-Name                       uid                        			// I am not able to check ntlm or other hashes, only uid check for "return noop"
replyItem       Tunnel-Type                     radiusTunnelType
replyItem       Tunnel-Medium-Type              radiusTunnelMediumType
replyItem       Tunnel-Private-Group-Id         radiusTunnelPrivateGroupId
max_request = 16384
proxy_requests  = no
#$INCLUDE clients.conf                 		// MAX Client count is 64 in sql db ( if I run out of space, will use clients.conf in addition)
realm LAB.COM {		                                  // doing nothing, but like to use it
default_eap_type = peap
tls {
	private_key_password = Apple:UseCertAdmin
	private_key_file = "/etc/certificates/"
	certificate_file = "/etc/certificates/"
	CA_file = "/etc/certificates/"
	dh_file = /etc/raddb/certs/dh
	random_file = /etc/raddb/certs/random
peap {
	use_tunneled_reply = yes
authorize {
authenticate {
#       Auth-Type PAP {
#               pap
#       }
#       Auth-Type CHAP {
#               chap
#       }
#   Auth-Type opendirectory {
#      opendirectory
#    }
#       Auth-Type LDAP {
#               ldap
#       }
authorize {
#LDAP is checking uid only, enabled for post-auth section
authenticate {
#       Auth-Type PAP {
#               pap
#       }
#       Auth-Type CHAP {
#               chap
#       }
# in ldap search radiusTunnelPrivateGroupId attribute is reached if cn=vl* AND memberUid=%{User-Name}
# all group names need to start with "vl"
# attribute value "10" returns in this case

post-auth {
	update reply {
                Tunnel-Type = VLAN
                Tunnel-Medium-Type = IEEE-802
                Tunnel-Private-Group-Id = "%{ldap:ldap:///dc=radsrv,dc=lab,dc=com?radiusTunnelPrivateGroupId?sub?(&(cn=vl*)(memberUid=%{User-Name}))}"
  4. Switch Config, HP Networking 2910 switch is used in this testbed
interface 1 name Supplicant
interface 3 name RadiusServervlan 10 name CorporateVLAN
ip add
ip helper
vlan 40 name UnauthVLAN
ip add
ip helper
vlan 100
ip add
untag 3exit
radius-server host key 123
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
aaa port-access authenticator 1
aaa port-access authenticator 1 unauth-vid 40
aaa port-access authenticator 1 client-limit 2
aaa port-access authenticator 1 control auto
aaa port-access authenticator active
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd-X.txt
URL: <>

More information about the Freeradius-Users mailing list