Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Thu Dec 6 00:21:23 CET 2018

Responding to Matthew & Alan.

I manually repeated the changes Alan checked in to opendir.c. Unfortunately, I still got a segfault after those changes. I’ve done some debugging since, and now have a successfully authenticating VPN with the modified code (yeah)!

The segmentation fault was because the method signature for mschap_add_reply in opendir.c didn’t match the actual method in rlm_mschap.c. I changed the signature definition at the top to remove the ValuePair parameter; it seemed to match the current definition in rlm_mschap.c more correctly that way:

/* void mschap_add_reply(REQUEST *request, VALUE_PAIR** vp, unsigned char ident,                                                            
   char const* name, char const* value, int len); */
void mschap_add_reply(REQUEST *request, unsigned char ident,
                      char const* name, char const* value, int len);

and the method call for MS-CHAP2-Success:

                                mschap_add_reply(request, /* &request->reply->vps, */
	                                         *response->vp_strvalue,
                                                 "MS-CHAP2-Success",
                                                 mschap_reply, len + 2);

As I mentioned, VPN authentication is now working with these modifications. If these are not the most correct way to solve the problem, please let me know. I’m also willing to build from a pull when you have a final change as a validation if you’d like.

I’m planning on filing an issue with Apple on their documentation for migrating from Apple Server to the 3.0 version of FreeRADIUS. I’m honestly curious if either of you think that open directory authentication with 3.0 could work in any cases? It seems to me like they never tested their instructions, but I admit I’m generalizing from one single use case (router authentication). As you can probably tell from some of my early e-mails, my ignorance about FreeRADIUS was quite high when I first engaged with this group, and I simply don’t know if there would be use cases where the missing MS-CHAP2-Success would not cause problems.

Lastly, when I file the issue with apple, would you be comfortable that I recommend that they change to a  3.0 version that contains whatever the final fixed code is? Their docs currently say 3.0.0 specifically. If so, would that be 3.0.18?

Thanks again for your help, and sorry for any confusion I may have caused along the way.

-Eric