On 9/29/16, 2:24 PM, "Brian Candler" <b.candler@pobox.com> wrote:
Have you tried "use_tunneled_reply = yes" ?
I don’t think this is relevant in this case as we aren’t tunneling in peap or ttls. It is just straight eap-mschapv2. I did some digging in the freeradius code and I believe I’ve discovered the root cause of my issue. The opendirectory authentication part of the rlm_mschap module returns directly and all the mppe calculations and responses are bypassed. This is the case in 2.2.9, 3.0.12, and still in 4.0.x according to github: https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/src/modules/rlm_... Now, while I am okay at reading C code, I’m not sure I’m good enough to write a patch for this. I’m not even sure such a patch is possible given my limited understanding of the existing architecture and the opendirectory auth. My understanding is that opendirectory can be configured to store NTLM hashes of user passwords so *theoretically* it should be possible for od_mschap_auth to calculate nthashhash and provide the resulting mppe keys. ::Adam