"Invalid password" on OS-X
Hi I'm trying to set up external authentication from our router to a OSX-server. I have it working fine if the user is an admin-user on the mac, but if I try with a normal user I get: Auth: rim_opendirectory: User <vpntest> is authorized. Auth: rim_opendirectory: User [vpntest]: invalid password I have tried with a number of user, and I'm quite sure I won't enter the wrong password that many times :) If I do enter an invalid password I get the same error :) I know this might be related to an OpenDirectory issue, but as I see it, it might also be related to the way I set up the freeradius service. I would really be happy if someone could point me in the right direction. Jens W. Skov
Jens W. Skov - JS Consult wrote:
I’m trying to set up external authentication from our router to a OSX-server.
I have it working fine if the user is an admin-user on the mac, but if I try with a normal user I get:
Auth: rim_opendirectory: User <vpntest> is authorized. Auth: rim_opendirectory: User [vpntest]: invalid password
Are you running FreeRADIUS on the same machine running OpenDirectory?
I know this might be related to an OpenDirectory issue, but as I see it, it might also be related to the way I set up the freeradius service.
It's hard to know.
I would really be happy if someone could point me in the right direction.
Ask Apple. They submitted the rlm_opendirectory module. It seems to work for them. There is minimal documentation for it. Alan DeKok.
Jens W. Skov - JS Consult wrote:
I’m trying to set up external authentication from our router to a OSX-server.
I have it working fine if the user is an admin-user on the mac, but if I try with a normal user I get:
Auth: rim_opendirectory: User <vpntest> is authorized. Auth: rim_opendirectory: User [vpntest]: invalid password
Are you running FreeRADIUS on the same machine running OpenDirectory? JS: Yes, they have only this one server. I do suspect that I might be missing something in the users file. In the OSX gui I have selected that users and groups that should be allowed, but it seems it not passed on to the radius service.
Here is what de debug shows. It seems it's first authenticated and then denied: Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.2 port 9903, id=94, length=122 User-Name = "vpntest" User-Password = "password" Acct-Session-Id = "NS-0000005e" NAS-IP-Address = 192.168.2.2 NAS-Port = 28123 NAS-Port-Type = Virtual Called-Station-Id = "109.202.152.154" Calling-Station-Id = "62.242.23.156" Netscreen-Attr-10 = 0x00000003 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "vpntest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop rlm_opendirectory: The host 192.168.2.2 does not have an access group. rlm_opendirectory: User <vpntest> is authorized. rlm_opendirectory: Setting Auth-Type = opendirectory ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = opendirectory +- entering group opendirectory {...} rlm_opendirectory: [vpntest]: invalid password ++[opendirectory] returns userlock Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> vpntest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 94 to 192.168.2.2 port 9903 Jens W. Skov Civilingeniør - M. Sc. E. in Telecommunications - MCP JS Consult Tlf: +45 45884077 Mobil: +45 23254077 jens@jsconsult.dk (Email, MSN, Skype) <mailto:jens@jsconsult.dk%20(Email,%20MSN,%20Skype)> Helpdesk: helpdesk.jsconsult.dk <http://helpdesk.jsconsult.dk/> eller helpdesk@jsconsult.dk Rævehøjparken 58 2800 Kgs. Lyngby <http://eu.ntrsupport.com/inquiero/web/digisign/digisign.asp?login=I23E8F5 02C6B11A99700843&lang=en> .... vil du også have centralt administrerede dynamiske signaturer for alle brugere? Kontakt os for en demonstration af Signature Manager. Alle priser er, med mindre andet er oplyst, ex. moms og levering. Der tages forbehold for fejl og prisændringer. Den 29/06/12 07.03 skrev "Jens W. Skov - JS Consult" <jens@jsconsult.dk>:
Jens W. Skov - JS Consult wrote:
I¹m trying to set up external authentication from our router to a OSX-server.
I have it working fine if the user is an admin-user on the mac, but if I try with a normal user I get:
Auth: rim_opendirectory: User <vpntest> is authorized. Auth: rim_opendirectory: User [vpntest]: invalid password
Are you running FreeRADIUS on the same machine running OpenDirectory?
JS: Yes, they have only this one server. I do suspect that I might be missing something in the users file. In the OSX gui I have selected that users and groups that should be allowed, but it seems it not passed on to the radius service.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jens W. Skov - JS Consult wrote:
Here is what de debug shows. It seems it's first authenticated and then denied:
No. It explicitly says "AUTHORIZED". That means allowed, but not authenticated.
Found Auth-Type = opendirectory +- entering group opendirectory {...} rlm_opendirectory: [vpntest]: invalid password
Well... fix that. I use a Mac, but I don't run OpenDirectory. Apple submitted that module, and are using it in their OSX Server product. Past that, I don't know much. Alan DeKok.
Found Auth-Type = opendirectory +- entering group opendirectory {...} rlm_opendirectory: [vpntest]: invalid password
Well... fix that.
:-) Of course the password is correct. But I'll seek help some where else. The Apple support forums are not much help. Jens
participants (2)
-
Alan DeKok -
Jens W. Skov - JS Consult