Hello, I am trying to use LDAP access to Open Directory on a 10.14.6 machine. I installed Freeradius from MacPorts. I am attempting to use Freeradius to authenticate wireless users. If I make the following edit to /opt/local/etc/raddb/mods-config/files/authorize, I can make a wireless connection without problems. # The canonical testing user which is in most of the # examples. # #bob Cleartext-Password := "hello" # Reply-Message := "Hello, %{User-Name}" # # ershler Cleartext-Password := “mypass" Reply-Message := "Hello, %{User-Name}" # Here you can see the Reply-Message in several places as the authentication proceeds. Received Access-Request Id 73 from 155.100.140.233:58880 to 155.100.140.85:1812 length 196 (9) User-Name = "ershler" (9) NAS-IP-Address = 155.100.140.233 (9) NAS-Port = 0 (9) Called-Station-Id = "00-26-BB-74-F6-1F:CVRTI-G" (9) Calling-Station-Id = "A0-99-9B-10-AF-65" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Connect-Info = "CONNECT 0Mbps 802.11" (9) EAP-Message = 0x02b200251900170303001a44ad024358ecd35da92afbb2e7970520a3c18852ced0f46ef259 (9) State = 0xe2201e71ea92079232d7793ca94d3ef5 (9) Message-Authenticator = 0x1383e35fceb57971f268e1e223750d27 (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "ershler", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 178 length 37 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /opt/local/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x9638639a978a7940 (9) eap: Finished EAP session with state 0xe2201e71ea920792 (9) eap: Previous EAP request found for state 0xe2201e71ea920792, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x02b200061a03 (9) eap_peap: Setting User-Name to ershler (9) eap_peap: Sending tunneled request to inner-tunnel (9) eap_peap: EAP-Message = 0x02b200061a03 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "ershler" (9) eap_peap: State = 0x9638639a978a79408050c69dcac660aa (9) Virtual server inner-tunnel received request (9) EAP-Message = 0x02b200061a03 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "ershler" (9) State = 0x9638639a978a79408050c69dcac660aa (9) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "ershler", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) update control { (9) &Proxy-To-Realm := LOCAL (9) } # update control = noop (9) eap: Peer sent EAP Response (code 2) ID 178 length 6 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) files: users: Matched entry ershler at line 92 (9) files: EXPAND Hello, %{User-Name} (9) files: --> Hello, ershler (9) [files] = ok (9) [expiration] = noop (9) [logintime] = noop (9) pap: WARNING: Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x9638639a978a7940 (9) eap: Finished EAP session with state 0x9638639a978a7940 (9) eap: Previous EAP request found for state 0x9638639a978a7940, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap: Sending EAP Success (code 3) ID 178 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /opt/local/etc/raddb/sites-enabled/inner-tunnel (9) post-auth { (9) if (0) { (9) if (0) -> FALSE (9) } # post-auth = noop (9) } # server inner-tunnel (9) Virtual server sending reply (9) Reply-Message = "Hello, ershler" (9) MS-MPPE-Encryption-Policy = Encryption-Allowed (9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (9) MS-MPPE-Send-Key = 0x7a8a71ab9a85e2ccc32c93159586c440 (9) MS-MPPE-Recv-Key = 0x5731187423009b1ee0e1a8ce75e482ca (9) EAP-Message = 0x03b20004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "ershler" (9) eap_peap: Got tunneled reply code 2 (9) eap_peap: Reply-Message = "Hello, ershler" (9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (9) eap_peap: MS-MPPE-Send-Key = 0x7a8a71ab9a85e2ccc32c93159586c440 (9) eap_peap: MS-MPPE-Recv-Key = 0x5731187423009b1ee0e1a8ce75e482ca (9) eap_peap: EAP-Message = 0x03b20004 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: User-Name = "ershler" (9) eap_peap: Got tunneled reply RADIUS code 2 (9) eap_peap: Reply-Message = "Hello, ershler” ************************************************************************************** With dscl, I can see the following apple-enabled-auth-mech enabled admin$ dscl /LDAPv3/127.0.0.1 read /Config/dirserv apple-enabled-auth-mech dsAttrTypeNative:apple-enabled-auth-mech: DHX DIGEST-MD5 GSSAPI SRP CRAM-MD5 WEBDAV-DIGEST SMB-NTLMv3 EAP-MSCHAPv2 SMB-NTLMv2 If I take my name and password out of /opt/local/etc/raddb/mods-config/files/authorize, then I get the following errors from FreeRadius. I am wondering what or where the problem is. ************************************************************************************** (30) FreeRADIUS-Proxied-To = 127.0.0.1 (30) User-Name = "ershler" (30) State = 0xfdbd9f93fd6a85f8a445b5c272e47828 (30) WARNING: Outer and inner identities are the same. User privacy is compromised. (30) server inner-tunnel { (30) session-state: No cached attributes (30) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/inner-tunnel (30) authorize { (30) policy filter_username { (30) if (&User-Name) { (30) if (&User-Name) -> TRUE (30) if (&User-Name) { (30) if (&User-Name =~ / /) { (30) if (&User-Name =~ / /) -> FALSE (30) if (&User-Name =~ /@[^@]*@/ ) { (30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (30) if (&User-Name =~ /\.\./ ) { (30) if (&User-Name =~ /\.\./ ) -> FALSE (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (30) if (&User-Name =~ /\.$/) { (30) if (&User-Name =~ /\.$/) -> FALSE (30) if (&User-Name =~ /@\./) { (30) if (&User-Name =~ /@\./) -> FALSE (30) } # if (&User-Name) = notfound (30) } # policy filter_username = notfound (30) [chap] = noop (30) [mschap] = noop (30) suffix: Checking for suffix after "@" (30) suffix: No '@' in User-Name = "ershler", looking up realm NULL (30) suffix: No such realm "NULL" (30) [suffix] = noop (30) update control { (30) &Proxy-To-Realm := LOCAL (30) } # update control = noop (30) eap: Peer sent EAP Response (code 2) ID 215 length 66 (30) eap: No EAP Start, assuming it's an on-going EAP conversation (30) [eap] = updated (30) [files] = noop (30) [expiration] = noop (30) [logintime] = noop (30) [pap] = noop (30) } # authorize = updated (30) Found Auth-Type = eap (30) # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel (30) authenticate { (30) eap: Expiring EAP session with state 0xfdbd9f93fd6a85f8 (30) eap: Finished EAP session with state 0xfdbd9f93fd6a85f8 (30) eap: Previous EAP request found for state 0xfdbd9f93fd6a85f8, released from the list (30) eap: Peer sent packet with method EAP MSCHAPv2 (26) (30) eap: Calling submodule eap_mschapv2 to process data (30) eap_mschapv2: # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel (30) eap_mschapv2: authenticate { (30) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (30) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (30) mschap: No NT-Password configured. Trying OpenDirectory Authentication (30) mschap: OD username_string = ershler, OD shortUserName=ershler (length = 7) (30) mschap: ERROR: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported (30) eap_mschapv2: [mschap] = reject (30) eap_mschapv2: } # authenticate = reject (30) eap: Sending EAP Failure (code 4) ID 215 length 4 (30) eap: Freeing handler (30) [eap] = reject (30) } # authenticate = reject (30) Failed to authenticate the user (30) Using Post-Auth-Type Reject (30) # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel (30) Post-Auth-Type REJECT { (30) attr_filter.access_reject: EXPAND %{User-Name} (30) attr_filter.access_reject: --> ershler (30) attr_filter.access_reject: Matched entry DEFAULT at line 11 (30) [attr_filter.access_reject] = updated (30) update outer.session-state { (30) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported' (30) } # update outer.session-state = noop (30) } # Post-Auth-Type REJECT = updated (30) } # server inner-tunnel ************************************************************************************ Thanks, Phil Ershler