Problems getting along with Open Directory
Philip Ershler
philip.ershler at utah.edu
Tue Oct 1 00:24:04 CEST 2019
Hello,
I am trying to use LDAP access to Open Directory on a 10.14.6 machine. I installed Freeradius from MacPorts. I am attempting to use Freeradius to authenticate wireless users. If I make the following edit to /opt/local/etc/raddb/mods-config/files/authorize, I can make a wireless connection without problems.
# The canonical testing user which is in most of the
# examples.
#
#bob Cleartext-Password := "hello"
# Reply-Message := "Hello, %{User-Name}"
#
#
ershler Cleartext-Password := “mypass"
Reply-Message := "Hello, %{User-Name}"
#
Here you can see the Reply-Message in several places as the authentication proceeds.
Received Access-Request Id 73 from 155.100.140.233:58880 to 155.100.140.85:1812 length 196
(9) User-Name = "ershler"
(9) NAS-IP-Address = 155.100.140.233
(9) NAS-Port = 0
(9) Called-Station-Id = "00-26-BB-74-F6-1F:CVRTI-G"
(9) Calling-Station-Id = "A0-99-9B-10-AF-65"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 0Mbps 802.11"
(9) EAP-Message = 0x02b200251900170303001a44ad024358ecd35da92afbb2e7970520a3c18852ced0f46ef259
(9) State = 0xe2201e71ea92079232d7793ca94d3ef5
(9) Message-Authenticator = 0x1383e35fceb57971f268e1e223750d27
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "ershler", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 178 length 37
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /opt/local/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x9638639a978a7940
(9) eap: Finished EAP session with state 0xe2201e71ea920792
(9) eap: Previous EAP request found for state 0xe2201e71ea920792, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x02b200061a03
(9) eap_peap: Setting User-Name to ershler
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x02b200061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "ershler"
(9) eap_peap: State = 0x9638639a978a79408050c69dcac660aa
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x02b200061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "ershler"
(9) State = 0x9638639a978a79408050c69dcac660aa
(9) WARNING: Outer and inner identities are the same. User privacy is compromised.
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "ershler", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 178 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) files: users: Matched entry ershler at line 92
(9) files: EXPAND Hello, %{User-Name}
(9) files: --> Hello, ershler
(9) [files] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x9638639a978a7940
(9) eap: Finished EAP session with state 0x9638639a978a7940
(9) eap: Previous EAP request found for state 0x9638639a978a7940, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 178 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(9) post-auth {
(9) if (0) {
(9) if (0) -> FALSE
(9) } # post-auth = noop
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) Reply-Message = "Hello, ershler"
(9) MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) MS-MPPE-Send-Key = 0x7a8a71ab9a85e2ccc32c93159586c440
(9) MS-MPPE-Recv-Key = 0x5731187423009b1ee0e1a8ce75e482ca
(9) EAP-Message = 0x03b20004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "ershler"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: Reply-Message = "Hello, ershler"
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0x7a8a71ab9a85e2ccc32c93159586c440
(9) eap_peap: MS-MPPE-Recv-Key = 0x5731187423009b1ee0e1a8ce75e482ca
(9) eap_peap: EAP-Message = 0x03b20004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "ershler"
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: Reply-Message = "Hello, ershler”
**************************************************************************************
With dscl, I can see the following apple-enabled-auth-mech enabled
admin$ dscl /LDAPv3/127.0.0.1 read /Config/dirserv apple-enabled-auth-mech
dsAttrTypeNative:apple-enabled-auth-mech: DHX DIGEST-MD5 GSSAPI SRP CRAM-MD5 WEBDAV-DIGEST SMB-NTLMv3 EAP-MSCHAPv2 SMB-NTLMv2
If I take my name and password out of /opt/local/etc/raddb/mods-config/files/authorize, then I get the following errors from FreeRadius. I am wondering what or where the problem is.
**************************************************************************************
(30) FreeRADIUS-Proxied-To = 127.0.0.1
(30) User-Name = "ershler"
(30) State = 0xfdbd9f93fd6a85f8a445b5c272e47828
(30) WARNING: Outer and inner identities are the same. User privacy is compromised.
(30) server inner-tunnel {
(30) session-state: No cached attributes
(30) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /@\./) {
(30) if (&User-Name =~ /@\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [chap] = noop
(30) [mschap] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "ershler", looking up realm NULL
(30) suffix: No such realm "NULL"
(30) [suffix] = noop
(30) update control {
(30) &Proxy-To-Realm := LOCAL
(30) } # update control = noop
(30) eap: Peer sent EAP Response (code 2) ID 215 length 66
(30) eap: No EAP Start, assuming it's an on-going EAP conversation
(30) [eap] = updated
(30) [files] = noop
(30) [expiration] = noop
(30) [logintime] = noop
(30) [pap] = noop
(30) } # authorize = updated
(30) Found Auth-Type = eap
(30) # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30) authenticate {
(30) eap: Expiring EAP session with state 0xfdbd9f93fd6a85f8
(30) eap: Finished EAP session with state 0xfdbd9f93fd6a85f8
(30) eap: Previous EAP request found for state 0xfdbd9f93fd6a85f8, released from the list
(30) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(30) eap: Calling submodule eap_mschapv2 to process data
(30) eap_mschapv2: # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30) eap_mschapv2: authenticate {
(30) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(30) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(30) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(30) mschap: OD username_string = ershler, OD shortUserName=ershler (length = 7)
(30) mschap: ERROR: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported
(30) eap_mschapv2: [mschap] = reject
(30) eap_mschapv2: } # authenticate = reject
(30) eap: Sending EAP Failure (code 4) ID 215 length 4
(30) eap: Freeing handler
(30) [eap] = reject
(30) } # authenticate = reject
(30) Failed to authenticate the user
(30) Using Post-Auth-Type Reject
(30) # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30) Post-Auth-Type REJECT {
(30) attr_filter.access_reject: EXPAND %{User-Name}
(30) attr_filter.access_reject: --> ershler
(30) attr_filter.access_reject: Matched entry DEFAULT at line 11
(30) [attr_filter.access_reject] = updated
(30) update outer.session-state {
(30) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported'
(30) } # update outer.session-state = noop
(30) } # Post-Auth-Type REJECT = updated
(30) } # server inner-tunnel
************************************************************************************
Thanks,
Phil Ershler
More information about the Freeradius-Users
mailing list