Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError
Eric Wittle
eric at wittle.net
Wed Dec 5 02:38:15 CET 2018
OK, Alan’s recommended approach from the last exchange:
> The short summary is to try to get this working:
>
> a) without using OpenDirectory, but using a static / test password
>
If you look at the “Appendix A” section below, you’ll see the debug output (just the packet part, I skipped the config dump, since I’ve sent it already earlier in this thread). It sure looks to me like a successful authentication against OpenDirectory, because of the following at the end:
“(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
(1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0”
Despite that success, the VPN still reports authentication failure. If my install and configuration is already successfully authenticating against OpenDirectory based on the debug output, what would I learn by running a test without OpenDirectory? I thought it a natural next step to look at what successful output meant from this configuration, and whether it was different than successful output from the prior version, which is accepted by the VPN client. I’m not sure why you disagree.
> b) with OpenDirectory, but using radtest to send MS-CHAP packets.
>
> i.e. skip the NAS entirely. Just use RADIUS test tools, and look at the RADIUS debug messages.
OK, I thought I’d try that, since you suggested it, but again I’m not sure what that is supposed to tell me if the debug output of running with an actual request from the VPN is returning a success code. So I tried it. Here’s the command I used:
/usr/local/bin/radtest -x -t chap eric <password> 127.0.0.1 0 <secret> 1 192.168.1.1
The server debug output showed a failure, but it was because of allegedly a secret mismatch. Here’s the output from the server in debug mode:
"rad_recv: Access-Request packet from host 127.0.0.1 port 64369, id=137, length=81
Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response.”
I thought that was odd, because I’m not seeing anything about secret mismatches when I’m using the actual VPN client. So I fired up the 2.2.10 radius install that is working, and it fails the same way with a secret mismatch. Furthermore, because part of the Apple instructions for migrating from their version to the one they recommend people install from OpenSource includes steps to dump the clients data from the existing database and import it into the new database, I still have the tmp file that is generated as part of that process. Here’s the single line from my one client:
1,192.168.1.1,router.wittle.net,other,,<secret>,,
And yes, the <secret> value in the temp file is the same as the secret value I provided to radtest.
> Maybe there's a problem with the OpenDirectory integration in v3. I don't think so, because others use it, and Apple has instructions for using it. So it should work.
I’m not clear that anyone who uses Apple Server is using FreeRADIUS 3.0. As far as I know, I’m running the most recent version of Apple Server that doesn’t remove support for FreeRADIUS entirely, and that is running FreeRADIUS 2.2.10. You might want to read Apple’s instructions for how to install FreeRADIUS 3.0 in their migration guide for migrating services to OpenSource that they published because they’ve removed most of the components of Apple Server in the versions that shipped this fall. If you do, you’ll see at least two egregious errors in their installation instructions. The first is in how to set configuration options for talloc; they specify a configuration command with an argument of “-without-gettext”, which is an invalid argument; it has to be “—without-gettext”. The second, later, is instructions to change the ownership of the plist file with “chmod root:wheel”. If someone knows how to change ownership with chmod rather than chown, I’d be happy to see it. Since Apple can’t get the FreeRADIUS instructions for building correct, and they’re on version 1.2 of the migration guide without correcting them, I’m not sure I’d assume there are a bunch of FreeRADIUS OpenDirectory installations out there. Given that they have two egregious errors in the build instructions, my confidence in their configuration instructions being completely accurate is low. I’m pretty sure their instructions state to uncomment a specific line in an entire section that ships commented out, for example. That last one is from memory, I haven’t gone back and confirmed. But I will when I finally get this working. Once it is working, I’ll file a bug with Apple so that hopefully they can update the migration guide, and someone else can benefit from the large amount of time I’ve spent on this, and whatever help I end up getting from this list.
-Eric
Appendix A - Appears to be debug output from a successful authentication
========================================================
Ready to process requests
(1) Received Access-Request Id 45 from 192.168.1.1:59532 to 192.168.1.2:1812 length 132
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) User-Name = "eric"
(1) MS-CHAP-Challenge = 0x2a053a73fcd64ba4fafc59d5e78ab6d5
(1) MS-CHAP2-Response = 0xa300f17177f7f822865736049dcf49eaf81600000000000000007ffbd34e0a6706395266205ea76afcc927029837596e9dcf
(1) NAS-IP-Address = 127.0.1.1
(1) NAS-Port = 0
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(1) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(1) auth_log: EXPAND %t
(1) auth_log: --> Tue Dec 4 07:54:15 2018
(1) [auth_log] = ok
(1) [chap] = noop
(1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(1) [mschap] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "eric", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAULT at line 181
(1) [files] = ok
(1) opendirectory: The host 192.168.1.1 does not have an access group.
(1) [opendirectory] = ok
(1) sql: EXPAND %{User-Name}
(1) sql: --> eric
(1) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (3)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (3)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(1) [sql] = notfound
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1) [pap] = noop
(1) } # authorize = ok
(1) Found Auth-Type = mschap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(1) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(1) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(1) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
(1) mschap: Stepbuf server challenge :
2a053a73fffffffcffffffd64bffffffa4fffffffafffffffc59ffffffd5ffffffe7ffffff8affffffb6ffffffd5
(1) mschap: Stepbuf peer challenge :
fffffff17177fffffff7fffffff822ffffff86573604ffffff9dffffffcf49ffffffeafffffff816
(1) mschap: Stepbuf p24 :
7ffffffffbffffffd34e0a6706395266205effffffa76afffffffcffffffc92702ffffff9837596effffff9dffffffcf
(1) [mschap] = ok
(1) } # authenticate = ok
(1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(1) post-auth {
(1) update {
(1) No attributes updated
(1) } # update = noop
(1) reply_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(1) reply_log: --> /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(1) reply_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(1) reply_log: EXPAND %t
(1) reply_log: --> Tue Dec 4 07:54:15 2018
(1) [reply_log] = ok
(1) sql: EXPAND .query
(1) sql: --> .query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(1) sql: EXPAND %{User-Name}
(1) sql: --> eric
(1) sql: SQL-User-Name set to 'eric'
(1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(1) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 07:54:15')
(1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 07:54:15')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(1) [sql] = ok
(1) [exec] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # post-auth = ok
(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
(1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0
(1) Framed-Protocol = PPP
(1) Framed-Compression = Van-Jacobson-TCP-IP
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 45 with timestamp +47
Ready to process requests
More information about the Freeradius-Users
mailing list