MSCHAPv2 fails to authenticate against OpenDirectory with error 5100 (0x13ec)
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Sat Jun 13 05:12:55 CEST 2015
> On 12 Jun 2015, at 21:34, Jason Healy <jhealy at logn.net> wrote:
>
> We’re an all-Apple campus and we currently use OpenDirectory as our central auth system. This includes being the backend for our wireless auth using EAP-PEAP/MSCHAPv2. Our system does work, so this is possible.
>
> One thing that we tried, failed, and gave up on was building a modern FR build to talk directly to OpenDirectory. There was too much secret sauce, and we’ve found that messing with the Apple servers too much causes weirdness and/or failures that are difficult to diagnose or get help with.
>
> We ended up building a modern FR on Linux and then proxying all requests to the Apple-supplied FR server running on the OpenDirectory machine. This let us change all the FR configuration we wanted to (on the linux box) and left the Apple box as stock as possible. You just need to add a client definition on the Apple server using their ‘radiusconfig’ tool:
>
> sudo radiusconfig -addclient <ipaddr of parodying box> <short name of parodying box> other
>
> In terms of your MSCHAP error, that does still sound a little odd. Older versions of OD (pre 10.7?) used to have configuration options for which recoverable hashes you wanted to store your passwords with. If you didn’t check the MSCHAP box, then you couldn’t do that form of auth. However, recent builds no longer have this option, so I’m guessing that OD stores passwords in a recoverable form by default. Again, our stock build does allow MSCHAP authentication, so I’m not sure why you’d get that error.
>
> Do you have another OD server you can spin up to test a clean install? Our experience (4 different OpenDirectory servers) has been that you just add the radius client and authentication “just works” for PEAP/MSCHAPv2.
There's code sitting in a branch off of a very old version of v2, which seems to deal explicitly with NTLM against Open Directory. It uses a newer framework than the existing rlm_opendirectory.
Apple contributed it back in 2011, but there was never significant interest in getting it merged.
If someone is able to test (I can port it into v3.1.x), it would be nice to be able to authenticate against modern open directory servers.
https://github.com/FreeRADIUS/freeradius-server/commit/6040566cfa969da1bce085ee48b4cd3e433e87d8#diff-ff5083ad3697e3a4d1927248c1a2a090R129
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150612/74950a55/attachment.sig>
More information about the Freeradius-Users
mailing list