Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migrat..., pages 12-16), authentication fails. I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file. Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost. Thanks in advance. -Eric
On Sun, 2018-12-02 at 21:47 -0500, Eric Wittle wrote:
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
That error resulted from trying to connect to OpenDirectory. Does OpenDirectory log anything useful?
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Debug was missing. Can you just paste it into the e-mail rather than attaching it. Use just "-X", don't use "-Xx" or other variants. -- Matthew
Pasted this time… FreeRADIUS Version 3.0.17 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = opendirectory radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no use_open_directory = yes } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_opendirectory # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_sql # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_sqlite" server = "" port = 0 login = "" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } accounting-off { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked Creating attribute SQL-Group # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 instantiate { } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.key" certificate_file = "/usr/local/etc/raddb/certs/server.crt" ca_file = "/usr/local/etc/raddb/certs/ca.pem" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql rlm_sql_sqlite: libsqlite version: 3.19.3 sqlite { filename = "/var/db/radius/freeradius.db" busy_timeout = 200 } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net) to global clients list rlm_sql (192.168.1.1): Client "router.wittle.net" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 59453 Listening on proxy address :: port 59454 Ready to process requests (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "eric" (0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0 (0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562 (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "eric", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) opendirectory: The host 192.168.1.1 does not have an access group. (0) [opendirectory] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (0) mschap: Stepbuf server challenge : ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0 (0) mschap: Stepbuf peer challenge : ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c (0) mschap: Stepbuf p24 : 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562 (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0 (0) Framed-Protocol = PPP (0) Framed-Compression = Van-Jacobson-TCP-IP (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +27 Ready to process requests
On Dec 2, 2018, at 9:47 PM, Eric Wittle <eric@wittle.net> wrote:
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migrat... <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory. The contents of ApplePasswordServer.Error.Log bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log -- Start: Server rolled log on: Nov 13 2018 21:17:19 -- Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT The tail end of ApplePasswordServer.Server.Log bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log Dec 2 2018 14:52:43 233320us Stopping server processes ... Dec 2 2018 14:52:43 234062us Closing all incoming connections ... Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10 Dec 2 2018 14:52:43 234669us Stopping Network Processes ... Dec 2 2018 14:52:43 234682us Deinitializing networking ... Dec 2 2018 14:52:43 234701us Server Processes Stopped ... Dec 2 2018 14:52:43 234718us RunAppThread Stopped Dec 2 2018 14:52:43 234747us RunAppThread Deleted Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018 . Dec 2 2018 14:52:47 755702us RunAppThread Created Dec 2 2018 14:52:47 755746us RunAppThread Started Dec 2 2018 14:52:47 755760us Initializing Server Globals ... Dec 2 2018 14:52:47 768754us Initializing Networking ... Dec 2 2018 14:52:47 768819us Initializing TCP ... Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET" Dec 2 2018 14:52:47 824367us Starting Central Thread ... Dec 2 2018 14:52:47 824401us Starting other server processes ... Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop Dec 2 2018 14:52:47 824451us Initializing TCP ... Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 14:52:47 825558us Finished starting other server processes ... Dec 2 2018 14:52:47 825582us -- Password Server successfully started -- Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec -- Dec 2 2018 15:03:32 701865us Stopping server processes ... Dec 2 2018 15:03:32 702676us Closing all incoming connections ... Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:03:32 703930us Stopping Network Processes ... Dec 2 2018 15:03:32 703944us Deinitializing networking ... Dec 2 2018 15:03:32 703960us Server Processes Stopped ... Dec 2 2018 15:03:32 703977us RunAppThread Stopped Dec 2 2018 15:03:32 703989us RunAppThread Deleted Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018 . Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018 . Dec 2 2018 15:03:43 644253us RunAppThread Created Dec 2 2018 15:03:43 644295us RunAppThread Started Dec 2 2018 15:03:43 644316us Initializing Server Globals ... Dec 2 2018 15:03:43 677609us Initializing Networking ... Dec 2 2018 15:03:43 677736us Initializing TCP ... Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET" Dec 2 2018 15:03:43 692877us Starting Central Thread ... Dec 2 2018 15:03:43 692895us Starting other server processes ... Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop Dec 2 2018 15:03:43 692938us Initializing TCP ... Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:03:43 694190us Finished starting other server processes ... Dec 2 2018 15:03:43 694212us -- Password Server successfully started -- Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec -- Dec 2 2018 15:05:24 289083us Stopping server processes ... Dec 2 2018 15:05:24 289128us Closing all incoming connections ... Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:05:24 290086us Stopping Network Processes ... Dec 2 2018 15:05:24 290098us Deinitializing networking ... Dec 2 2018 15:05:24 290113us Server Processes Stopped ... Dec 2 2018 15:05:24 290129us RunAppThread Stopped Dec 2 2018 15:05:24 290142us RunAppThread Deleted Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018 . Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018 . Dec 2 2018 15:07:34 103718us RunAppThread Created Dec 2 2018 15:07:34 103758us RunAppThread Started Dec 2 2018 15:07:34 103779us Initializing Server Globals ... Dec 2 2018 15:07:34 118899us Initializing Networking ... Dec 2 2018 15:07:34 118961us Initializing TCP ... Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET" Dec 2 2018 15:07:34 139134us Starting Central Thread ... Dec 2 2018 15:07:34 139141us Starting other server processes ... Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop Dec 2 2018 15:07:34 139174us Initializing TCP ... Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:07:34 140156us Finished starting other server processes ... Dec 2 2018 15:07:34 140178us -- Password Server successfully started -- Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec -- Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server. I’ll take a look and see if radiusconfig is a script… -Eric
On Dec 3, 2018, at 5:41 AM, Eric Wittle <eric@wittle.net> wrote:
Pasted this time…
FreeRADIUS Version 3.0.17 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com <http://example.com/> { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = opendirectory radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no use_open_directory = yes } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_opendirectory # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_sql # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_sqlite" server = "" port = 0 login = "" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } accounting-off { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked Creating attribute SQL-Group # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 instantiate { } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.key" certificate_file = "/usr/local/etc/raddb/certs/server.crt" ca_file = "/usr/local/etc/raddb/certs/ca.pem" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql rlm_sql_sqlite: libsqlite version: 3.19.3 sqlite { filename = "/var/db/radius/freeradius.db" busy_timeout = 200 } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 59453 Listening on proxy address :: port 59454 Ready to process requests (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "eric" (0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0 (0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562 (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "eric", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) opendirectory: The host 192.168.1.1 does not have an access group. (0) [opendirectory] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (0) mschap: Stepbuf server challenge : ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0 (0) mschap: Stepbuf peer challenge : ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c (0) mschap: Stepbuf p24 : 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562 (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0 (0) Framed-Protocol = PPP (0) Framed-Compression = Van-Jacobson-TCP-IP (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +27 Ready to process requests
On Dec 2, 2018, at 9:47 PM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migrat... <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log: Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response. -Eric
On Dec 3, 2018, at 6:14 AM, Eric Wittle <eric@wittle.net> wrote:
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
The contents of ApplePasswordServer.Error.Log bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log -- Start: Server rolled log on: Nov 13 2018 21:17:19 -- Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT
The tail end of ApplePasswordServer.Server.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log Dec 2 2018 14:52:43 233320us Stopping server processes ... Dec 2 2018 14:52:43 234062us Closing all incoming connections ... Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10 Dec 2 2018 14:52:43 234669us Stopping Network Processes ... Dec 2 2018 14:52:43 234682us Deinitializing networking ... Dec 2 2018 14:52:43 234701us Server Processes Stopped ... Dec 2 2018 14:52:43 234718us RunAppThread Stopped Dec 2 2018 14:52:43 234747us RunAppThread Deleted Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018 . Dec 2 2018 14:52:47 755702us RunAppThread Created Dec 2 2018 14:52:47 755746us RunAppThread Started Dec 2 2018 14:52:47 755760us Initializing Server Globals ... Dec 2 2018 14:52:47 768754us Initializing Networking ... Dec 2 2018 14:52:47 768819us Initializing TCP ... Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 14:52:47 824367us Starting Central Thread ... Dec 2 2018 14:52:47 824401us Starting other server processes ... Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop Dec 2 2018 14:52:47 824451us Initializing TCP ... Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 14:52:47 825558us Finished starting other server processes ... Dec 2 2018 14:52:47 825582us -- Password Server successfully started -- Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec -- Dec 2 2018 15:03:32 701865us Stopping server processes ... Dec 2 2018 15:03:32 702676us Closing all incoming connections ... Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:03:32 703930us Stopping Network Processes ... Dec 2 2018 15:03:32 703944us Deinitializing networking ... Dec 2 2018 15:03:32 703960us Server Processes Stopped ... Dec 2 2018 15:03:32 703977us RunAppThread Stopped Dec 2 2018 15:03:32 703989us RunAppThread Deleted Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018 . Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018 . Dec 2 2018 15:03:43 644253us RunAppThread Created Dec 2 2018 15:03:43 644295us RunAppThread Started Dec 2 2018 15:03:43 644316us Initializing Server Globals ... Dec 2 2018 15:03:43 677609us Initializing Networking ... Dec 2 2018 15:03:43 677736us Initializing TCP ... Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:03:43 692877us Starting Central Thread ... Dec 2 2018 15:03:43 692895us Starting other server processes ... Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop Dec 2 2018 15:03:43 692938us Initializing TCP ... Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:03:43 694190us Finished starting other server processes ... Dec 2 2018 15:03:43 694212us -- Password Server successfully started -- Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec -- Dec 2 2018 15:05:24 289083us Stopping server processes ... Dec 2 2018 15:05:24 289128us Closing all incoming connections ... Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:05:24 290086us Stopping Network Processes ... Dec 2 2018 15:05:24 290098us Deinitializing networking ... Dec 2 2018 15:05:24 290113us Server Processes Stopped ... Dec 2 2018 15:05:24 290129us RunAppThread Stopped Dec 2 2018 15:05:24 290142us RunAppThread Deleted Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018 . Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018 . Dec 2 2018 15:07:34 103718us RunAppThread Created Dec 2 2018 15:07:34 103758us RunAppThread Started Dec 2 2018 15:07:34 103779us Initializing Server Globals ... Dec 2 2018 15:07:34 118899us Initializing Networking ... Dec 2 2018 15:07:34 118961us Initializing TCP ... Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:07:34 139134us Starting Central Thread ... Dec 2 2018 15:07:34 139141us Starting other server processes ... Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop Dec 2 2018 15:07:34 139174us Initializing TCP ... Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:07:34 140156us Finished starting other server processes ... Dec 2 2018 15:07:34 140178us -- Password Server successfully started -- Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec -- Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
I’ll take a look and see if radiusconfig is a script…
-Eric
On Dec 3, 2018, at 5:41 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
Pasted this time…
FreeRADIUS Version 3.0.17 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com <http://example.com/> { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = opendirectory radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no use_open_directory = yes } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_opendirectory # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_sql # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_sqlite" server = "" port = 0 login = "" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } accounting-off { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked Creating attribute SQL-Group # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 instantiate { } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.key" certificate_file = "/usr/local/etc/raddb/certs/server.crt" ca_file = "/usr/local/etc/raddb/certs/ca.pem" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql rlm_sql_sqlite: libsqlite version: 3.19.3 sqlite { filename = "/var/db/radius/freeradius.db" busy_timeout = 200 } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 59453 Listening on proxy address :: port 59454 Ready to process requests (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "eric" (0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0 (0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562 (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "eric", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) opendirectory: The host 192.168.1.1 does not have an access group. (0) [opendirectory] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (0) mschap: Stepbuf server challenge : ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0 (0) mschap: Stepbuf peer challenge : ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c (0) mschap: Stepbuf p24 : 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562 (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0 (0) Framed-Protocol = PPP (0) Framed-Compression = Van-Jacobson-TCP-IP (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +27 Ready to process requests
On Dec 2, 2018, at 9:47 PM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migrat... <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10. -Eric rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "eric" MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [suffix] No '@' in User-Name = "eric", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry DEFAULT at line 178 ++[files] = ok [opendirectory] The host 192.168.1.1 does not have an access group. ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = MSCHAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: eric [mschap] Client is using MS-CHAPv2 for eric, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Doing OD MSCHAPv2 auth [mschap] Successful authentication for eric ++[mschap] = ok +} # group MS-CHAP = ok Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net port 0) # Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 2 to 192.168.1.1 port 60795 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96 Acct-Session-Id = "5C0514303B2A00" User-Name = "eric" Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 192.168.6.100 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Acct-Delay-Time = 0 # Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"' [acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184". ++[acct_unique] = ok [suffix] No '@' in User-Name = "eric", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[files] = noop +} # group preacct = ok # Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default +group accounting { [detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1 [detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203 [detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203 [detail] expand: %t -> Mon Dec 3 06:32:00 2018 ++[detail] = ok ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> eric attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 3 to 192.168.1.1 port 40029 Finished request 1. Cleaning up request 1 ID 3 with timestamp +23 Going to the next request Waking up in 4.3 seconds. Cleaning up request 0 ID 2 with timestamp +22 Ready to process requests.
On Dec 3, 2018, at 6:26 AM, Eric Wittle <eric@wittle.net> wrote:
OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
-Eric
On Dec 3, 2018, at 6:14 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
The contents of ApplePasswordServer.Error.Log bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log -- Start: Server rolled log on: Nov 13 2018 21:17:19 -- Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT
The tail end of ApplePasswordServer.Server.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log Dec 2 2018 14:52:43 233320us Stopping server processes ... Dec 2 2018 14:52:43 234062us Closing all incoming connections ... Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10 Dec 2 2018 14:52:43 234669us Stopping Network Processes ... Dec 2 2018 14:52:43 234682us Deinitializing networking ... Dec 2 2018 14:52:43 234701us Server Processes Stopped ... Dec 2 2018 14:52:43 234718us RunAppThread Stopped Dec 2 2018 14:52:43 234747us RunAppThread Deleted Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018 . Dec 2 2018 14:52:47 755702us RunAppThread Created Dec 2 2018 14:52:47 755746us RunAppThread Started Dec 2 2018 14:52:47 755760us Initializing Server Globals ... Dec 2 2018 14:52:47 768754us Initializing Networking ... Dec 2 2018 14:52:47 768819us Initializing TCP ... Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 14:52:47 824367us Starting Central Thread ... Dec 2 2018 14:52:47 824401us Starting other server processes ... Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop Dec 2 2018 14:52:47 824451us Initializing TCP ... Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 14:52:47 825558us Finished starting other server processes ... Dec 2 2018 14:52:47 825582us -- Password Server successfully started -- Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec -- Dec 2 2018 15:03:32 701865us Stopping server processes ... Dec 2 2018 15:03:32 702676us Closing all incoming connections ... Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:03:32 703930us Stopping Network Processes ... Dec 2 2018 15:03:32 703944us Deinitializing networking ... Dec 2 2018 15:03:32 703960us Server Processes Stopped ... Dec 2 2018 15:03:32 703977us RunAppThread Stopped Dec 2 2018 15:03:32 703989us RunAppThread Deleted Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018 . Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018 . Dec 2 2018 15:03:43 644253us RunAppThread Created Dec 2 2018 15:03:43 644295us RunAppThread Started Dec 2 2018 15:03:43 644316us Initializing Server Globals ... Dec 2 2018 15:03:43 677609us Initializing Networking ... Dec 2 2018 15:03:43 677736us Initializing TCP ... Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:03:43 692877us Starting Central Thread ... Dec 2 2018 15:03:43 692895us Starting other server processes ... Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop Dec 2 2018 15:03:43 692938us Initializing TCP ... Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:03:43 694190us Finished starting other server processes ... Dec 2 2018 15:03:43 694212us -- Password Server successfully started -- Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec -- Dec 2 2018 15:05:24 289083us Stopping server processes ... Dec 2 2018 15:05:24 289128us Closing all incoming connections ... Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:05:24 290086us Stopping Network Processes ... Dec 2 2018 15:05:24 290098us Deinitializing networking ... Dec 2 2018 15:05:24 290113us Server Processes Stopped ... Dec 2 2018 15:05:24 290129us RunAppThread Stopped Dec 2 2018 15:05:24 290142us RunAppThread Deleted Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018 . Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018 . Dec 2 2018 15:07:34 103718us RunAppThread Created Dec 2 2018 15:07:34 103758us RunAppThread Started Dec 2 2018 15:07:34 103779us Initializing Server Globals ... Dec 2 2018 15:07:34 118899us Initializing Networking ... Dec 2 2018 15:07:34 118961us Initializing TCP ... Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:07:34 139134us Starting Central Thread ... Dec 2 2018 15:07:34 139141us Starting other server processes ... Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop Dec 2 2018 15:07:34 139174us Initializing TCP ... Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:07:34 140156us Finished starting other server processes ... Dec 2 2018 15:07:34 140178us -- Password Server successfully started -- Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec -- Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
I’ll take a look and see if radiusconfig is a script…
-Eric
On Dec 3, 2018, at 5:41 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
Pasted this time…
FreeRADIUS Version 3.0.17 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com <http://example.com/> { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = opendirectory radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no use_open_directory = yes } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_opendirectory # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_sql # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_sqlite" server = "" port = 0 login = "" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } accounting-off { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked Creating attribute SQL-Group # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 instantiate { } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.key" certificate_file = "/usr/local/etc/raddb/certs/server.crt" ca_file = "/usr/local/etc/raddb/certs/ca.pem" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql rlm_sql_sqlite: libsqlite version: 3.19.3 sqlite { filename = "/var/db/radius/freeradius.db" busy_timeout = 200 } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 59453 Listening on proxy address :: port 59454 Ready to process requests (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "eric" (0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0 (0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562 (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "eric", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) opendirectory: The host 192.168.1.1 does not have an access group. (0) [opendirectory] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (0) mschap: Stepbuf server challenge : ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0 (0) mschap: Stepbuf peer challenge : ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c (0) mschap: Stepbuf p24 : 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562 (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0 (0) Framed-Protocol = PPP (0) Framed-Compression = Van-Jacobson-TCP-IP (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +27 Ready to process requests
On Dec 2, 2018, at 9:47 PM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migrat... <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
And finally what success and failure look like from the router’s messages log: Successful authentication with OS X Server’s FreeRADIUS 2.10: Dec 3 12:11:39 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 60074. Local: 33742, Remote: 28 (ref=0/0). LNS session is 'default' Dec 3 12:11:39 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17357, Local: 45819, Remote: 7746, Serial: 1 Dec 3 12:11:39 ubnt pppd[17357]: pppd 2.4.4 started by root, uid 0 Dec 3 12:11:39 ubnt pppd[17357]: Connect: ppp0 <--> Dec 3 12:11:42 ubnt pppd[17357]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received Dec 3 12:11:43 ubnt pppd[17357]: Cannot determine ethernet address for proxy ARP Dec 3 12:11:43 ubnt pppd[17357]: local IP address 10.255.255.0 Dec 3 12:11:43 ubnt pppd[17357]: remote IP address 192.168.6.100 Dec 3 12:12:23 ubnt pppd[17357]: Connection terminated: no multilink. Dec 3 12:12:23 ubnt pppd[17357]: Modem hangup Failed authentication with manually installed FreeRadius 3 Dec 3 12:13:03 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 49849. Local: 23776, Remote: 29 (ref=0/0). LNS session is 'default' Dec 3 12:13:03 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17610, Local: 11728, Remote: 7750, Serial: 1 Dec 3 12:13:03 ubnt pppd[17610]: pppd 2.4.4 started by root, uid 0 Dec 3 12:13:03 ubnt pppd[17610]: Connect: ppp0 <--> Dec 3 12:13:06 ubnt pppd[17610]: Dec 3 12:13:06 ubnt pppd[17610]: Peer eric failed CHAP authentication Dec 3 12:13:12 ubnt pppd[17610]: Connection terminated: no multilink. Dec 3 12:13:12 ubnt pppd[17610]: Modem hangup -Eric
On Dec 3, 2018, at 6:48 AM, Eric Wittle <eric@wittle.net> wrote:
In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.
-Eric
rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "eric" MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [suffix] No '@' in User-Name = "eric", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry DEFAULT at line 178 ++[files] = ok [opendirectory] The host 192.168.1.1 does not have an access group. ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = MSCHAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: eric [mschap] Client is using MS-CHAPv2 for eric, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Doing OD MSCHAPv2 auth [mschap] Successful authentication for eric ++[mschap] = ok +} # group MS-CHAP = ok Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net <http://router.wittle.net/> port 0) # Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 2 to 192.168.1.1 port 60795 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96 Acct-Session-Id = "5C0514303B2A00" User-Name = "eric" Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 192.168.6.100 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Acct-Delay-Time = 0 # Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"' [acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184". ++[acct_unique] = ok [suffix] No '@' in User-Name = "eric", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[files] = noop +} # group preacct = ok # Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default +group accounting { [detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1 [detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203 [detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203 [detail] expand: %t -> Mon Dec 3 06:32:00 2018 ++[detail] = ok ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> eric attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 3 to 192.168.1.1 port 40029 Finished request 1. Cleaning up request 1 ID 3 with timestamp +23 Going to the next request Waking up in 4.3 seconds. Cleaning up request 0 ID 2 with timestamp +22 Ready to process requests.
On Dec 3, 2018, at 6:26 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
-Eric
On Dec 3, 2018, at 6:14 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
The contents of ApplePasswordServer.Error.Log bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log -- Start: Server rolled log on: Nov 13 2018 21:17:19 -- Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT
The tail end of ApplePasswordServer.Server.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log Dec 2 2018 14:52:43 233320us Stopping server processes ... Dec 2 2018 14:52:43 234062us Closing all incoming connections ... Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10 Dec 2 2018 14:52:43 234669us Stopping Network Processes ... Dec 2 2018 14:52:43 234682us Deinitializing networking ... Dec 2 2018 14:52:43 234701us Server Processes Stopped ... Dec 2 2018 14:52:43 234718us RunAppThread Stopped Dec 2 2018 14:52:43 234747us RunAppThread Deleted Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018 . Dec 2 2018 14:52:47 755702us RunAppThread Created Dec 2 2018 14:52:47 755746us RunAppThread Started Dec 2 2018 14:52:47 755760us Initializing Server Globals ... Dec 2 2018 14:52:47 768754us Initializing Networking ... Dec 2 2018 14:52:47 768819us Initializing TCP ... Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 14:52:47 824367us Starting Central Thread ... Dec 2 2018 14:52:47 824401us Starting other server processes ... Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop Dec 2 2018 14:52:47 824451us Initializing TCP ... Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 14:52:47 825558us Finished starting other server processes ... Dec 2 2018 14:52:47 825582us -- Password Server successfully started -- Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec -- Dec 2 2018 15:03:32 701865us Stopping server processes ... Dec 2 2018 15:03:32 702676us Closing all incoming connections ... Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:03:32 703930us Stopping Network Processes ... Dec 2 2018 15:03:32 703944us Deinitializing networking ... Dec 2 2018 15:03:32 703960us Server Processes Stopped ... Dec 2 2018 15:03:32 703977us RunAppThread Stopped Dec 2 2018 15:03:32 703989us RunAppThread Deleted Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018 . Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018 . Dec 2 2018 15:03:43 644253us RunAppThread Created Dec 2 2018 15:03:43 644295us RunAppThread Started Dec 2 2018 15:03:43 644316us Initializing Server Globals ... Dec 2 2018 15:03:43 677609us Initializing Networking ... Dec 2 2018 15:03:43 677736us Initializing TCP ... Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:03:43 692877us Starting Central Thread ... Dec 2 2018 15:03:43 692895us Starting other server processes ... Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop Dec 2 2018 15:03:43 692938us Initializing TCP ... Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:03:43 694190us Finished starting other server processes ... Dec 2 2018 15:03:43 694212us -- Password Server successfully started -- Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec -- Dec 2 2018 15:05:24 289083us Stopping server processes ... Dec 2 2018 15:05:24 289128us Closing all incoming connections ... Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:05:24 290086us Stopping Network Processes ... Dec 2 2018 15:05:24 290098us Deinitializing networking ... Dec 2 2018 15:05:24 290113us Server Processes Stopped ... Dec 2 2018 15:05:24 290129us RunAppThread Stopped Dec 2 2018 15:05:24 290142us RunAppThread Deleted Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018 . Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018 . Dec 2 2018 15:07:34 103718us RunAppThread Created Dec 2 2018 15:07:34 103758us RunAppThread Started Dec 2 2018 15:07:34 103779us Initializing Server Globals ... Dec 2 2018 15:07:34 118899us Initializing Networking ... Dec 2 2018 15:07:34 118961us Initializing TCP ... Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:07:34 139134us Starting Central Thread ... Dec 2 2018 15:07:34 139141us Starting other server processes ... Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop Dec 2 2018 15:07:34 139174us Initializing TCP ... Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:07:34 140156us Finished starting other server processes ... Dec 2 2018 15:07:34 140178us -- Password Server successfully started -- Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec -- Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
I’ll take a look and see if radiusconfig is a script…
-Eric
On Dec 3, 2018, at 5:41 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
Pasted this time…
FreeRADIUS Version 3.0.17 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com <http://example.com/> { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = opendirectory radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no use_open_directory = yes } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_opendirectory # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_sql # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_sqlite" server = "" port = 0 login = "" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } accounting-off { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked Creating attribute SQL-Group # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 instantiate { } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.key" certificate_file = "/usr/local/etc/raddb/certs/server.crt" ca_file = "/usr/local/etc/raddb/certs/ca.pem" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql rlm_sql_sqlite: libsqlite version: 3.19.3 sqlite { filename = "/var/db/radius/freeradius.db" busy_timeout = 200 } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 59453 Listening on proxy address :: port 59454 Ready to process requests (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "eric" (0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0 (0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562 (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "eric", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) opendirectory: The host 192.168.1.1 does not have an access group. (0) [opendirectory] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (0) mschap: Stepbuf server challenge : ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0 (0) mschap: Stepbuf peer challenge : ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c (0) mschap: Stepbuf p24 : 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562 (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0 (0) Framed-Protocol = PPP (0) Framed-Compression = Van-Jacobson-TCP-IP (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +27 Ready to process requests
On Dec 2, 2018, at 9:47 PM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migrat... <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
I looked over the debug output from attempts that should have succeeded (valid username and password), vs. those that should have failed (invalid password). It seems like the result description is the following for a valid username / password: (1) Sent Access-Reject Id 10 from 192.168.1.2:1812 to 192.168.1.1:43315 length 20 and this for an invalid password: (0) Sent Access-Reject Id 9 from 192.168.1.2:1812 to 192.168.1.1:48225 length 20 That seems to imply that FreeRADIUS 3.0.17 is doing the right thing, but somehow the results for the Ubiquiti EdgeRouter VPN authentication are different. Am I reading the log correctly? I’ve posted in the Ubiquiti forums asking for help there as well, assuming that I’m reading this debug log correctly and authentication is actually succeeding: https://community.ubnt.com/t5/EdgeRouter/VPN-radius-authentication-incorrect... I did a quick web search to see if I could log the authentication response to the EdgeRouter, but didn’t find anything that was particularly clear. Did the authentication response change from 2.2.10 to 3.0.17? I could presumably rebuild and reconfigure with a 2.X version to see if that would be more compatible with the EdgeRouter. -Eric
On Dec 3, 2018, at 7:16 AM, Eric Wittle <eric@wittle.net> wrote:
And finally what success and failure look like from the router’s messages log:
Successful authentication with OS X Server’s FreeRADIUS 2.10:
Dec 3 12:11:39 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 60074. Local: 33742, Remote: 28 (ref=0/0). LNS session is 'default' Dec 3 12:11:39 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17357, Local: 45819, Remote: 7746, Serial: 1 Dec 3 12:11:39 ubnt pppd[17357]: pppd 2.4.4 started by root, uid 0 Dec 3 12:11:39 ubnt pppd[17357]: Connect: ppp0 <--> Dec 3 12:11:42 ubnt pppd[17357]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received Dec 3 12:11:43 ubnt pppd[17357]: Cannot determine ethernet address for proxy ARP Dec 3 12:11:43 ubnt pppd[17357]: local IP address 10.255.255.0 Dec 3 12:11:43 ubnt pppd[17357]: remote IP address 192.168.6.100 Dec 3 12:12:23 ubnt pppd[17357]: Connection terminated: no multilink. Dec 3 12:12:23 ubnt pppd[17357]: Modem hangup
Failed authentication with manually installed FreeRadius 3
Dec 3 12:13:03 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 49849. Local: 23776, Remote: 29 (ref=0/0). LNS session is 'default' Dec 3 12:13:03 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17610, Local: 11728, Remote: 7750, Serial: 1 Dec 3 12:13:03 ubnt pppd[17610]: pppd 2.4.4 started by root, uid 0 Dec 3 12:13:03 ubnt pppd[17610]: Connect: ppp0 <--> Dec 3 12:13:06 ubnt pppd[17610]: Dec 3 12:13:06 ubnt pppd[17610]: Peer eric failed CHAP authentication Dec 3 12:13:12 ubnt pppd[17610]: Connection terminated: no multilink. Dec 3 12:13:12 ubnt pppd[17610]: Modem hangup
-Eric
On Dec 3, 2018, at 6:48 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.
-Eric
rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "eric" MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [suffix] No '@' in User-Name = "eric", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry DEFAULT at line 178 ++[files] = ok [opendirectory] The host 192.168.1.1 does not have an access group. ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = MSCHAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: eric [mschap] Client is using MS-CHAPv2 for eric, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Doing OD MSCHAPv2 auth [mschap] Successful authentication for eric ++[mschap] = ok +} # group MS-CHAP = ok Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net <http://router.wittle.net/> port 0) # Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 2 to 192.168.1.1 port 60795 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96 Acct-Session-Id = "5C0514303B2A00" User-Name = "eric" Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 192.168.6.100 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Acct-Delay-Time = 0 # Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"' [acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184". ++[acct_unique] = ok [suffix] No '@' in User-Name = "eric", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[files] = noop +} # group preacct = ok # Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default +group accounting { [detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1 [detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203 [detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203 [detail] expand: %t -> Mon Dec 3 06:32:00 2018 ++[detail] = ok ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> eric attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 3 to 192.168.1.1 port 40029 Finished request 1. Cleaning up request 1 ID 3 with timestamp +23 Going to the next request Waking up in 4.3 seconds. Cleaning up request 0 ID 2 with timestamp +22 Ready to process requests.
On Dec 3, 2018, at 6:26 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
-Eric
On Dec 3, 2018, at 6:14 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
The contents of ApplePasswordServer.Error.Log bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log -- Start: Server rolled log on: Nov 13 2018 21:17:19 -- Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT
The tail end of ApplePasswordServer.Server.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log Dec 2 2018 14:52:43 233320us Stopping server processes ... Dec 2 2018 14:52:43 234062us Closing all incoming connections ... Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10 Dec 2 2018 14:52:43 234669us Stopping Network Processes ... Dec 2 2018 14:52:43 234682us Deinitializing networking ... Dec 2 2018 14:52:43 234701us Server Processes Stopped ... Dec 2 2018 14:52:43 234718us RunAppThread Stopped Dec 2 2018 14:52:43 234747us RunAppThread Deleted Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018 . Dec 2 2018 14:52:47 755702us RunAppThread Created Dec 2 2018 14:52:47 755746us RunAppThread Started Dec 2 2018 14:52:47 755760us Initializing Server Globals ... Dec 2 2018 14:52:47 768754us Initializing Networking ... Dec 2 2018 14:52:47 768819us Initializing TCP ... Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 14:52:47 824367us Starting Central Thread ... Dec 2 2018 14:52:47 824401us Starting other server processes ... Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop Dec 2 2018 14:52:47 824451us Initializing TCP ... Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 14:52:47 825558us Finished starting other server processes ... Dec 2 2018 14:52:47 825582us -- Password Server successfully started -- Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec -- Dec 2 2018 15:03:32 701865us Stopping server processes ... Dec 2 2018 15:03:32 702676us Closing all incoming connections ... Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:03:32 703930us Stopping Network Processes ... Dec 2 2018 15:03:32 703944us Deinitializing networking ... Dec 2 2018 15:03:32 703960us Server Processes Stopped ... Dec 2 2018 15:03:32 703977us RunAppThread Stopped Dec 2 2018 15:03:32 703989us RunAppThread Deleted Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018 . Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018 . Dec 2 2018 15:03:43 644253us RunAppThread Created Dec 2 2018 15:03:43 644295us RunAppThread Started Dec 2 2018 15:03:43 644316us Initializing Server Globals ... Dec 2 2018 15:03:43 677609us Initializing Networking ... Dec 2 2018 15:03:43 677736us Initializing TCP ... Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:03:43 692877us Starting Central Thread ... Dec 2 2018 15:03:43 692895us Starting other server processes ... Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop Dec 2 2018 15:03:43 692938us Initializing TCP ... Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:03:43 694190us Finished starting other server processes ... Dec 2 2018 15:03:43 694212us -- Password Server successfully started -- Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec -- Dec 2 2018 15:05:24 289083us Stopping server processes ... Dec 2 2018 15:05:24 289128us Closing all incoming connections ... Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ... Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3 Dec 2 2018 15:05:24 290086us Stopping Network Processes ... Dec 2 2018 15:05:24 290098us Deinitializing networking ... Dec 2 2018 15:05:24 290113us Server Processes Stopped ... Dec 2 2018 15:05:24 290129us RunAppThread Stopped Dec 2 2018 15:05:24 290142us RunAppThread Deleted Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018 . Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018 . Dec 2 2018 15:07:34 103718us RunAppThread Created Dec 2 2018 15:07:34 103758us RunAppThread Started Dec 2 2018 15:07:34 103779us Initializing Server Globals ... Dec 2 2018 15:07:34 118899us Initializing Networking ... Dec 2 2018 15:07:34 118961us Initializing TCP ... Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>" Dec 2 2018 15:07:34 139134us Starting Central Thread ... Dec 2 2018 15:07:34 139141us Starting other server processes ... Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop Dec 2 2018 15:07:34 139174us Initializing TCP ... Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106 Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659 Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106 Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659 Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver Dec 2 2018 15:07:34 140156us Finished starting other server processes ... Dec 2 2018 15:07:34 140178us -- Password Server successfully started -- Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec -- Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded. Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
I’ll take a look and see if radiusconfig is a script…
-Eric
On Dec 3, 2018, at 5:41 AM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
Pasted this time…
FreeRADIUS Version 3.0.17 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com <http://example.com/> { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = opendirectory radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no use_open_directory = yes } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_opendirectory # Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_sql # Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_sqlite" server = "" port = 0 login = "" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } accounting-off { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked Creating attribute SQL-Group # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 instantiate { } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.key" certificate_file = "/usr/local/etc/raddb/certs/server.crt" ca_file = "/usr/local/etc/raddb/certs/ca.pem" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql rlm_sql_sqlite: libsqlite version: 3.19.3 sqlite { filename = "/var/db/radius/freeradius.db" busy_timeout = 200 } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 59453 Listening on proxy address :: port 59454 Ready to process requests (0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "eric" (0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0 (0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562 (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "eric", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) opendirectory: The host 192.168.1.1 does not have an access group. (0) [opendirectory] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (0) mschap: Stepbuf server challenge : ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0 (0) mschap: Stepbuf peer challenge : ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c (0) mschap: Stepbuf p24 : 5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562 (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0 (0) Framed-Protocol = PPP (0) Framed-Compression = Van-Jacobson-TCP-IP (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +27 Ready to process requests
On Dec 2, 2018, at 9:47 PM, Eric Wittle <eric@wittle.net <mailto:eric@wittle.net>> wrote:
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migrat... <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
OK, I cut out the history on this thread, because I think I’ve narrowed it down. I enabled detail reply logging on both the 2.2.10 install that is working, and the 3.0.17 one that is not. The first response below is from 3.0.17, and the VPN software logs that as a CHAP authentication failure. The second response below is from the 2.2.10 version. I’m guessing at this point (but I have a forum post open on Ubiquiti to confirm) that the missing MS-CHAP2-Success value is the problem. Mon Dec 3 21:44:12 2018 Packet-Type = Access-Accept Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Timestamp = 1543891452 Mon Dec 3 21:56:04 2018 Packet-Type = Access-Accept Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x31533d31413533414644303142413034324443374639313444384245423634373131433634363642463830 Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value? Thanks, -Eric
And making some progress. In the sites-enabled/default file, added the following to the post-auth section: # ELW - Attempting to add the missing attribute I need update reply { MS-CHAP2-Success := "%{MS-CHAP2-Response}" } Now reply detail looks like: Mon Dec 3 22:41:33 2018 Packet-Type = Access-Accept Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x9d0043abe40ba2b954250b42c69a1409c1c100000000000000003f4600c8a3b9759e82a9a982364d69b51d2cf6c260d33db5 Timestamp = 1543894893 And the messages file on the EdgeRouter says the following for an authentication request: Dec 4 03:41:30 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 55099. Local: 60667, Remote: 47 (ref=0/0). LNS session is 'default' Dec 4 03:41:30 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 7504, Local: 28750, Remote: 8210, Serial: 1 Dec 4 03:41:30 ubnt pppd[7504]: pppd 2.4.4 started by root, uid 0 Dec 4 03:41:30 ubnt pppd[7504]: Connect: ppp0 <--> Dec 4 03:41:33 ubnt pppd[7504]: RADIUS: bad MS-CHAP2-Success packet Dec 4 03:41:33 ubnt pppd[7504]: Peer eric failed CHAP authentication Dec 4 03:41:39 ubnt pppd[7504]: Connection terminated: no multilink. Dec 4 03:41:39 ubnt pppd[7504]: Modem hangup So it is clearly looking at the MS-CHAP2-Success attribute, but I’m not getting the right value for this. Any idea where I would get this from? I’ve tried to walk through the 2.2.10 configuration looking for where this comes from, with no luck. -Eric
On Dec 3, 2018, at 10:08 PM, Eric Wittle <eric@wittle.net> wrote:
OK, I cut out the history on this thread, because I think I’ve narrowed it down. I enabled detail reply logging on both the 2.2.10 install that is working, and the 3.0.17 one that is not. The first response below is from 3.0.17, and the VPN software logs that as a CHAP authentication failure. The second response below is from the 2.2.10 version. I’m guessing at this point (but I have a forum post open on Ubiquiti to confirm) that the missing MS-CHAP2-Success value is the problem.
Mon Dec 3 21:44:12 2018 Packet-Type = Access-Accept Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Timestamp = 1543891452
Mon Dec 3 21:56:04 2018 Packet-Type = Access-Accept Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x31533d31413533414644303142413034324443374639313444384245423634373131433634363642463830
Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value?
Thanks,
-Eric
On Dec 3, 2018, at 10:51 PM, Eric Wittle <eric@wittle.net> wrote:
And making some progress. In the sites-enabled/default file, added the following to the post-auth section:
# ELW - Attempting to add the missing attribute I need update reply { MS-CHAP2-Success := "%{MS-CHAP2-Response}" }
Don't do that. You can't just invent things and expect them to work.
Now reply detail looks like:
Mon Dec 3 22:41:33 2018 Packet-Type = Access-Accept Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x9d0043abe40ba2b954250b42c69a1409c1c100000000000000003f4600c8a3b9759e82a9a982364d69b51d2cf6c260d33db5 Timestamp = 1543894893
And don't look at that, either. All of the documentation, etc. says to look at the debug output.
And the messages file on the EdgeRouter says the following for an authentication request:
Dec 4 03:41:30 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 55099. Local: 60667, Remote: 47 (ref=0/0). LNS session is 'default' Dec 4 03:41:30 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 7504, Local: 28750, Remote: 8210, Serial: 1 Dec 4 03:41:30 ubnt pppd[7504]: pppd 2.4.4 started by root, uid 0 Dec 4 03:41:30 ubnt pppd[7504]: Connect: ppp0 <--> Dec 4 03:41:33 ubnt pppd[7504]: RADIUS: bad MS-CHAP2-Success packet Dec 4 03:41:33 ubnt pppd[7504]: Peer eric failed CHAP authentication Dec 4 03:41:39 ubnt pppd[7504]: Connection terminated: no multilink. Dec 4 03:41:39 ubnt pppd[7504]: Modem hangup
And don't look at that, either. If FreeRADIUS isn't configured correctly, then it won't help to look at the NAS logs.
So it is clearly looking at the MS-CHAP2-Success attribute, but I’m not getting the right value for this. Any idea where I would get this from?
You get it from a successful authentication. The MSCHAP module calculates it automatically. The short summary is to try to get this working: a) without using OpenDirectory, but using a static / test password b) with OpenDirectory, but using radtest to send MS-CHAP packets. i.e. skip the NAS entirely. Just use RADIUS test tools, and look at the RADIUS debug messages. Maybe there's a problem with the OpenDirectory integration in v3. I don't think so, because others use it, and Apple has instructions for using it. So it should work. Alan DeKok.
On 4 Dec 2018, at 03:51, Eric Wittle <eric@wittle.net> wrote:
MS-CHAP2-Success := "%{MS-CHAP2-Response}"
You've put an authentication failure into the success attribute. You can't change a failure into a success just by declaring it to be so.
Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value?
Have your authentication succeed. It's sent automatically. Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On 04/12/2018 12:37, Adam Bishop wrote:
You've put an authentication failure into the success attribute. You can't change a failure into a success just by declaring it to be so.
Oh I don't know - just ask a politician for advice, they're experts at things like that :) [With apologies for the totally off-topic response] Paul.
OK, Alan’s recommended approach from the last exchange:
The short summary is to try to get this working:
a) without using OpenDirectory, but using a static / test password
If you look at the “Appendix A” section below, you’ll see the debug output (just the packet part, I skipped the config dump, since I’ve sent it already earlier in this thread). It sure looks to me like a successful authentication against OpenDirectory, because of the following at the end: “(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0) (1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0” Despite that success, the VPN still reports authentication failure. If my install and configuration is already successfully authenticating against OpenDirectory based on the debug output, what would I learn by running a test without OpenDirectory? I thought it a natural next step to look at what successful output meant from this configuration, and whether it was different than successful output from the prior version, which is accepted by the VPN client. I’m not sure why you disagree.
b) with OpenDirectory, but using radtest to send MS-CHAP packets.
i.e. skip the NAS entirely. Just use RADIUS test tools, and look at the RADIUS debug messages.
OK, I thought I’d try that, since you suggested it, but again I’m not sure what that is supposed to tell me if the debug output of running with an actual request from the VPN is returning a success code. So I tried it. Here’s the command I used: /usr/local/bin/radtest -x -t chap eric <password> 127.0.0.1 0 <secret> 1 192.168.1.1 The server debug output showed a failure, but it was because of allegedly a secret mismatch. Here’s the output from the server in debug mode: "rad_recv: Access-Request packet from host 127.0.0.1 port 64369, id=137, length=81 Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response.” I thought that was odd, because I’m not seeing anything about secret mismatches when I’m using the actual VPN client. So I fired up the 2.2.10 radius install that is working, and it fails the same way with a secret mismatch. Furthermore, because part of the Apple instructions for migrating from their version to the one they recommend people install from OpenSource includes steps to dump the clients data from the existing database and import it into the new database, I still have the tmp file that is generated as part of that process. Here’s the single line from my one client: 1,192.168.1.1,router.wittle.net,other,,<secret>,, And yes, the <secret> value in the temp file is the same as the secret value I provided to radtest.
Maybe there's a problem with the OpenDirectory integration in v3. I don't think so, because others use it, and Apple has instructions for using it. So it should work.
I’m not clear that anyone who uses Apple Server is using FreeRADIUS 3.0. As far as I know, I’m running the most recent version of Apple Server that doesn’t remove support for FreeRADIUS entirely, and that is running FreeRADIUS 2.2.10. You might want to read Apple’s instructions for how to install FreeRADIUS 3.0 in their migration guide for migrating services to OpenSource that they published because they’ve removed most of the components of Apple Server in the versions that shipped this fall. If you do, you’ll see at least two egregious errors in their installation instructions. The first is in how to set configuration options for talloc; they specify a configuration command with an argument of “-without-gettext”, which is an invalid argument; it has to be “—without-gettext”. The second, later, is instructions to change the ownership of the plist file with “chmod root:wheel”. If someone knows how to change ownership with chmod rather than chown, I’d be happy to see it. Since Apple can’t get the FreeRADIUS instructions for building correct, and they’re on version 1.2 of the migration guide without correcting them, I’m not sure I’d assume there are a bunch of FreeRADIUS OpenDirectory installations out there. Given that they have two egregious errors in the build instructions, my confidence in their configuration instructions being completely accurate is low. I’m pretty sure their instructions state to uncomment a specific line in an entire section that ships commented out, for example. That last one is from memory, I haven’t gone back and confirmed. But I will when I finally get this working. Once it is working, I’ll file a bug with Apple so that hopefully they can update the migration guide, and someone else can benefit from the large amount of time I’ve spent on this, and whatever help I end up getting from this list. -Eric Appendix A - Appears to be debug output from a successful authentication ======================================================== Ready to process requests (1) Received Access-Request Id 45 from 192.168.1.1:59532 to 192.168.1.2:1812 length 132 (1) Service-Type = Framed-User (1) Framed-Protocol = PPP (1) User-Name = "eric" (1) MS-CHAP-Challenge = 0x2a053a73fcd64ba4fafc59d5e78ab6d5 (1) MS-CHAP2-Response = 0xa300f17177f7f822865736049dcf49eaf81600000000000000007ffbd34e0a6706395266205ea76afcc927029837596e9dcf (1) NAS-IP-Address = 127.0.1.1 (1) NAS-Port = 0 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (1) auth_log: --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181204 (1) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181204 (1) auth_log: EXPAND %t (1) auth_log: --> Tue Dec 4 07:54:15 2018 (1) [auth_log] = ok (1) [chap] = noop (1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (1) [mschap] = ok (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "eric", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry DEFAULT at line 181 (1) [files] = ok (1) opendirectory: The host 192.168.1.1 does not have an access group. (1) [opendirectory] = ok (1) sql: EXPAND %{User-Name} (1) sql: --> eric (1) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Reserved connection (3) (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (1) sql: User not found in any groups rlm_sql (sql): Released connection (3) Need 3 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (1) [sql] = notfound (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = ok (1) Found Auth-Type = mschap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (1) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (1) mschap: No NT-Password configured. Trying OpenDirectory Authentication (1) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (1) mschap: Stepbuf server challenge : 2a053a73fffffffcffffffd64bffffffa4fffffffafffffffc59ffffffd5ffffffe7ffffff8affffffb6ffffffd5 (1) mschap: Stepbuf peer challenge : fffffff17177fffffff7fffffff822ffffff86573604ffffff9dffffffcf49ffffffeafffffff816 (1) mschap: Stepbuf p24 : 7ffffffffbffffffd34e0a6706395266205effffffa76afffffffcffffffc92702ffffff9837596effffff9dffffffcf (1) [mschap] = ok (1) } # authenticate = ok (1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (1) post-auth { (1) update { (1) No attributes updated (1) } # update = noop (1) reply_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (1) reply_log: --> /var/log/radius/radacct/192.168.1.1/reply-detail-20181204 (1) reply_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/reply-detail-20181204 (1) reply_log: EXPAND %t (1) reply_log: --> Tue Dec 4 07:54:15 2018 (1) [reply_log] = ok (1) sql: EXPAND .query (1) sql: --> .query (1) sql: Using query template 'query' rlm_sql (sql): Reserved connection (4) (1) sql: EXPAND %{User-Name} (1) sql: --> eric (1) sql: SQL-User-Name set to 'eric' (1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (1) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 07:54:15') (1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 07:54:15') (1) sql: SQL query returned: success (1) sql: 1 record(s) updated rlm_sql (sql): Released connection (4) (1) [sql] = ok (1) [exec] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # post-auth = ok (1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0) (1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0 (1) Framed-Protocol = PPP (1) Framed-Compression = Van-Jacobson-TCP-IP (1) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 45 with timestamp +47 Ready to process requests
On Dec 4, 2018, at 8:38 PM, Eric Wittle <eric@wittle.net> wrote:
If you look at the “Appendix A” section below, you’ll see the debug output (just the packet part, I skipped the config dump, since I’ve sent it already earlier in this thread). It sure looks to me like a successful authentication against OpenDirectory, because of the following at the end:
“(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0) (1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0”
That's not good enough. As you noted earlier, the reply also needs an MS-CHAP-Challenge. Which it doesn't have. So... if you read the debug output, is there an MS-CHAP-Challenge?
Despite that success, the VPN still reports authentication failure. If my install and configuration is already successfully authenticating against OpenDirectory based on the debug output, what would I learn by running a test without OpenDirectory?
You would be able to track down exactly where the problem is. Right now, you have: (a) FreeRADIUS config, (b) correct password, (c) MS-CHAP authentication, (d) OpenDirectory, and (e) the NAS / VPN concentrator. Where is the problem? You don't know. The usual process to solve a complex problem is to make the problem simpler. Eventually you narrow the problem down to just one thing. Which is then either misconfigured, or misbehaving. You *cannot* look at just the Access-Accept, and say "well, it's all fine!". You already know that the VPN is complaining about no MS-CHAP-Challenge. And if you read the debug output, you know FreeRADIUS isn't sending one. Which is should. So... maybe the issue os OpenDirectory, or the FreeRADIUS to OpenDirectory integration.
I thought it a natural next step to look at what successful output meant from this configuration, and whether it was different than successful output from the prior version, which is accepted by the VPN client. I’m not sure why you disagree.
I don't disagree. But you're doing the classic flailing around, without really understanding the problem, or narrowing it down: - looking at the detail file logs, not the debug logs - looking at the VPN logs - etc. Don't try a bunch of unrelated / useless things. Read the debug log. Narrow down the problem.
b) with OpenDirectory, but using radtest to send MS-CHAP packets.
i.e. skip the NAS entirely. Just use RADIUS test tools, and look at the RADIUS debug messages.
OK, I thought I’d try that, since you suggested it, but again I’m not sure what that is supposed to tell me if the debug output of running with an actual request from the VPN is returning a success code. So I tried it. Here’s the command I used:
/usr/local/bin/radtest -x -t chap eric <password> 127.0.0.1 0 <secret> 1 192.168.1.1
At this point I'm going to have to ask that you start paying attention. Running a test with CHAP is *not* the same thing as running a test with MS-CHAP. They're different. And radtest *can* use MS-CHAP. The "radtest -h" output shows this.
The server debug output showed a failure, but it was because of allegedly a secret mismatch. Here’s the output from the server in debug mode:
"rad_recv: Access-Request packet from host 127.0.0.1 port 64369, id=137, length=81 Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response.”
Yes, that's a shared secret error.
I thought that was odd, because I’m not seeing anything about secret mismatches when I’m using the actual VPN client.
Because it's coming from a different IP address. Note that if you READ the debug output, it shows that the packet is received from 127.0.0.1. And not 192.168.1.1. AND if you read the "radtest -h" output, you will see that you supplied 127.0.0.1 as the server IP, and 192.168.1.1 as at the "nasname". i.e. NOT the source IP address of the packet.
So I fired up the 2.2.10 radius install that is working, and it fails the same way with a secret mismatch.
Because 127.0.0.1 != 192.168.1.1. This should be fairly straightforward. If you want to send packets FROM 192.168.1.1, then you must send packets FROM that IP. If you send packets FROM 127.0.0.1, then you must use the shared secret for 127.0.0.1. See the "clients.conf" file, and look for the client that defines 127.0.0.1. When sending packets using "radtest" from localhost, use the shared secret from THAT, and not the shared secret for 192.168.1.1.
Furthermore, because part of the Apple instructions for migrating from their version to the one they recommend people install from OpenSource includes steps to dump the clients data from the existing database and import it into the new database, I still have the tmp file that is generated as part of that process. Here’s the single line from my one client:
1,192.168.1.1,router.wittle.net,other,,<secret>,,
And yes, the <secret> value in the temp file is the same as the secret value I provided to radtest.
Which is the wrong shared secret. You are going over the same thing repeatedly, without paying attention to how things work. Please take a step back and pay attention.
Maybe there's a problem with the OpenDirectory integration in v3. I don't think so, because others use it, and Apple has instructions for using it. So it should work.
I’m not clear that anyone who uses Apple Server is using FreeRADIUS 3.0. As far as I know, I’m running the most recent version of Apple Server that doesn’t remove support for FreeRADIUS entirely, and that is running FreeRADIUS 2.2.10. You might want to read Apple’s instructions for how to install FreeRADIUS 3.0 in their migration guide for migrating services to OpenSource that they published because they’ve removed most of the components of Apple Server in the versions that shipped this fall. If you do, you’ll see at least two egregious errors in their installation instructions. The first is in how to set configuration options for talloc; they specify a configuration command with an argument of “-without-gettext”, which is an invalid argument; it has to be “—without-gettext”. The second, later, is instructions to change the ownership of the plist file with “chmod root:wheel”. If someone knows how to change ownership with chmod rather than chown, I’d be happy to see it.
Those are both typos, and fairly straightforward ones. They're not errors which *break* things.
Since Apple can’t get the FreeRADIUS instructions for building correct, and they’re on version 1.2 of the migration guide without correcting them, I’m not sure I’d assume there are a bunch of FreeRADIUS OpenDirectory installations out there. Given that they have two egregious errors in the build instructions, my confidence in their configuration instructions being completely accurate is low. I’m pretty sure their instructions state to uncomment a specific line in an entire section that ships commented out, for example. That last one is from memory, I haven’t gone back and confirmed. But I will when I finally get this working. Once it is working, I’ll file a bug with Apple so that hopefully they can update the migration guide, and someone else can benefit from the large amount of time I’ve spent on this, and whatever help I end up getting from this list.
I've been trying to help you. So far it's not been easy. You're working *really* hard at doing the wrong thing. Take a step back.
Appendix A - Appears to be debug output from a successful authentication ========================================================
And as was noted in earlier messages, it's missing an MS-CHAP-Success attribute in the reply. You can't just post the same thing over and over, expecting that it will magically solve the problem. It won't. Read this message a few times. Take a step back, and *change your approach*. Do one thing. If it doesn't work, ask a question. If it works, do another thing. Break the problem down into pieces. Don't post messages where you try multiple things, and then waste time discovering "bugs", because you got something wrong. It's frustrating for you, and for us. The problem shouldn't be that difficult to track down and/or fix. But if you waste hours looking at the *wrong shared secret*, those are hours you could have spent more productively. Alan DeKok.
And now I’ll resume the path I was originally on. The problem that is causing my VPN to fail authentication, from comparing the responses outside of debugging, is that 3.0.17 is not returning MS-CHAP2-Success. If we look at opendir.c in rlm_mschap, we see the following code: if (status == eDSNoErr) { RDEBUG2("ELW: status == eDSNoErr\n"); if (pStepBuff->fBufferLength > 4) { RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n"); size_t len; memcpy(&len, pStepBuff->fBufferData, sizeof(len)); if (len == 40) { RDEBUG2("ELW: len == 40\n"); char mschap_reply[42] = { '\0' }; pStepBuff->fBufferData[len+4] = '\0'; mschap_reply[0] = 'S'; mschap_reply[1] = '='; memcpy(&(mschap_reply[2]), &(pStepBuff->fBufferData[4]), len); mschap_add_reply(request, &request->reply->vps, *response->vp_strvalue, "MS-CHAP2-Success", mschap_reply, len+2); RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%zu)\n", mschap_reply, len); } else { RDEBUG2("ELW: len == %zu\n", len); } } } You may notice a few extra lines I added for debugging purposes (text strings with ELW in them). This code seems pretty clearly where MS-CHAP2-Success is supposed to be added to the reply. Below, in the section headed Appendix A, you see the debug output from 3.0.17 with the additional debugging added. It clearly shows that the test “len == 40” is failing during successful authentication, and therefore the MS-CHAP2-Success value is not being added to the reply. It has been many decades since I did C programming, so this exhausts my ability to debug the problem without digging out my Kernighan & Ritchie, assuming I could find it. I’ve seen text in various comments that the open directory configuration is owned by Apple, should I assume that opendir.c is owned by them as well? If so, I’ll file a bug with them, and drop back to 2.2.10. Appendix A ========= Ready to process requests (0) Received Access-Request Id 49 from 192.168.1.1:50192 to 192.168.1.2:1812 length 132 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "eric" (0) MS-CHAP-Challenge = 0x2865983ecdee941a08a635417c19deb5 (0) MS-CHAP2-Response = 0x410010c7856c01bf71f1230a236ccd8a535a000000000000000008c485f49f713bcefda1a071a0df4565e3fd316e9c5aa40e (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181204 (0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181204 (0) auth_log: EXPAND %t (0) auth_log: --> Tue Dec 4 21:59:38 2018 (0) [auth_log] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "eric", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) opendirectory: The host 192.168.1.1 does not have an access group. (0) [opendirectory] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 136 seconds rlm_sql_sqlite: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 136 seconds rlm_sql_sqlite: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 136 seconds rlm_sql_sqlite: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 136 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_sqlite: Socket destructor called, closing socket rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 136 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_sqlite: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 136 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_sqlite: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" rlm_sql (sql): Reserved connection (6) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (6) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (0) mschap: Stepbuf server challenge : 2865ffffff983effffffcdffffffeeffffff941a08ffffffa635417c19ffffffdeffffffb5 (0) mschap: Stepbuf peer challenge : 10ffffffc7ffffff856c01ffffffbf71fffffff1230a236cffffffcdffffff8a535a (0) mschap: Stepbuf p24 : 08ffffffc4ffffff85fffffff4ffffff9f713bffffffcefffffffdffffffa1ffffffa071ffffffa0ffffffdf4565ffffffe3fffffffd316effffff9c5affffffa40e (0) mschap: ELW: status == eDSNoErr (0) mschap: ELW: pStepBuff->fBufferLength > 4 (0) mschap: ELW: len == 3978992058181353512 (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) reply_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/radius/radacct/192.168.1.1/reply-detail-20181204 (0) reply_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/reply-detail-20181204 (0) reply_log: EXPAND %t (0) reply_log: --> Tue Dec 4 21:59:38 2018 (0) [reply_log] = ok (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (6) (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 21:59:38') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 21:59:38') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (6) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0) (0) Sent Access-Accept Id 49 from 192.168.1.2:1812 to 192.168.1.1:50192 length 0 (0) Framed-Protocol = PPP (0) Framed-Compression = Van-Jacobson-TCP-IP (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 49 with timestamp +136 Ready to process requests
On Tue, 2018-12-04 at 22:16 -0500, Eric Wittle wrote:
if (pStepBuff->fBufferLength > 4) { RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n"); size_t len;
I suspect changing that from uint32_t to size_t has had the unintended consequences of making it a 64-bit integer on your platform, which breaks the (len == 40) comparison. Try changing "size_t len" to "uint32_t len" and see if that fixes it.
(0) mschap: ELW: len == 3978992058181353512
The lower 32 bits of this value are "40"... the rest is junk. -- Matthew
On Dec 5, 2018, at 5:35 AM, Matthew Newton <mcn@freeradius.org> wrote:
I suspect changing that from uint32_t to size_t has had the unintended consequences of making it a 64-bit integer on your platform, which breaks the (len == 40) comparison.
Try changing "size_t len" to "uint32_t len" and see if that fixes it.
I've pushed a fix to the v3.0.x branch. The change to "size_t" was a mis-guided attempt to fix string printing issues. Alan DeKok.
Responding to Matthew (I subscribed with digest enabled, so replying to specific emails is a challenge. Mistake on my part). Revised section of code is: if (status == eDSNoErr) { RDEBUG2("ELW: status == eDSNoErr\n"); if (pStepBuff->fBufferLength > 4) { RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n"); uint32_t len; memcpy(&len, pStepBuff->fBufferData, sizeof(len)); RDEBUG2("ELW: sizeof(len) = %lu\n", sizeof(len)); RDEBUG2("ELW: value of len is %lu\n", len); if (len == 40) { RDEBUG2("ELW: Inside len == 40\n"); char mschap_reply[42] = { '\0' }; pStepBuff->fBufferData[len+4] = '\0'; mschap_reply[0] = 'S'; mschap_reply[1] = '='; memcpy(&(mschap_reply[2]), &(pStepBuff->fBufferData[4]), len); RDEBUG2("About to mschap_add_reply with %s\n", mschap_reply); mschap_add_reply(request, &request->reply->vps, *response->vp_strvalue, "MS-CHAP2-Success", mschap_reply, len+2); RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%zu)\n", mschap_reply, len); That gets me a bit farther (inside the len == 40 check), but then I get a seg fault in the call to mschap_add_reply: Ready to process requests (0) Received Access-Request Id 62 from 192.168.1.1:44978 to 192.168.1.2:1812 length 132 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "eric" (0) MS-CHAP-Challenge = 0x574ca5b59a8e344553b717024fa20962 (0) MS-CHAP2-Response = 0x3b0091c88b94ecc81c10752a252fd386ca2b0000000000000000a394fdc9ca017ded44b770f4d01a535f3fe7fee7a1f6df4c (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181205 (0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181205 (0) auth_log: EXPAND %t (0) auth_log: --> Wed Dec 5 08:30:37 2018 (0) [auth_log] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "eric", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) opendirectory: The host 192.168.1.1 does not have an access group. (0) [opendirectory] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> eric (0) sql: SQL-User-Name set to 'eric' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: No NT-Password configured. Trying OpenDirectory Authentication (0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) (0) mschap: Stepbuf server challenge : 574cffffffa5ffffffb5ffffff9affffff8e344553ffffffb717024fffffffa20962 (0) mschap: Stepbuf peer challenge : ffffff91ffffffc8ffffff8bffffff94ffffffecffffffc81c10752a252fffffffd3ffffff86ffffffca2b (0) mschap: Stepbuf p24 : ffffffa3ffffff94fffffffdffffffc9ffffffca017dffffffed44ffffffb770fffffff4ffffffd01a535f3fffffffe7fffffffeffffffe7ffffffa1fffffff6ffffffdf4c (0) mschap: ELW: status == eDSNoErr (0) mschap: ELW: pStepBuff->fBufferLength > 4 (0) mschap: ELW: sizeof(len) = 4 (0) mschap: ELW: value of len is 40 (0) mschap: ELW: Inside len == 40 (0) mschap: About to mschap_add_reply with S=B523E9A9A2F00BF04246DD46E1C3BDC1E7F0CA3F???? Segmentation fault: 11 Matthew wrote: On Tue, 2018-12-04 at 22:16 -0500, Eric Wittle wrote:
if (pStepBuff->fBufferLength > 4) { RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n"); size_t len;
I suspect changing that from uint32_t to size_t has had the unintended consequences of making it a 64-bit integer on your platform, which breaks the (len == 40) comparison. Try changing "size_t len" to "uint32_t len" and see if that fixes it.
(0) mschap: ELW: len == 3978992058181353512
The lower 32 bits of this value are "40"... the rest is junk. -- Matthew
On Wed, 2018-12-05 at 08:36 -0500, Eric Wittle wrote:
Responding to Matthew (I subscribed with digest enabled, so replying to specific emails is a challenge. Mistake on my part).
Try temporarily commenting out this line:
RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%zu)\n", mschap_reply, len);
(or change the %zu to %ld) That's the only other line of code in that section that has changed in ~10 years. I can't imagine telling it to print 64 bits when there are only 32 is going to always end well. The segfault happens somewherer after your RDEBUG line. Not necessarily on the very next line, though. -- Matthew
Responding to Matthew & Alan. I manually repeated the changes Alan checked in to opendir.c. Unfortunately, I still got a segfault after those changes. I’ve done some debugging since, and now have a successfully authenticating VPN with the modified code (yeah)! The segmentation fault was because the method signature for mschap_add_reply in opendir.c didn’t match the actual method in rlm_mschap.c. I changed the signature definition at the top to remove the ValuePair parameter; it seemed to match the current definition in rlm_mschap.c more correctly that way: /* void mschap_add_reply(REQUEST *request, VALUE_PAIR** vp, unsigned char ident, char const* name, char const* value, int len); */ void mschap_add_reply(REQUEST *request, unsigned char ident, char const* name, char const* value, int len); and the method call for MS-CHAP2-Success: mschap_add_reply(request, /* &request->reply->vps, */ *response->vp_strvalue, "MS-CHAP2-Success", mschap_reply, len + 2); As I mentioned, VPN authentication is now working with these modifications. If these are not the most correct way to solve the problem, please let me know. I’m also willing to build from a pull when you have a final change as a validation if you’d like. I’m planning on filing an issue with Apple on their documentation for migrating from Apple Server to the 3.0 version of FreeRADIUS. I’m honestly curious if either of you think that open directory authentication with 3.0 could work in any cases? It seems to me like they never tested their instructions, but I admit I’m generalizing from one single use case (router authentication). As you can probably tell from some of my early e-mails, my ignorance about FreeRADIUS was quite high when I first engaged with this group, and I simply don’t know if there would be use cases where the missing MS-CHAP2-Success would not cause problems. Lastly, when I file the issue with apple, would you be comfortable that I recommend that they change to a 3.0 version that contains whatever the final fixed code is? Their docs currently say 3.0.0 specifically. If so, would that be 3.0.18? Thanks again for your help, and sorry for any confusion I may have caused along the way. -Eric
On Dec 5, 2018, at 6:21 PM, Eric Wittle <eric@wittle.net> wrote:
Responding to Matthew & Alan.
I manually repeated the changes Alan checked in to opendir.c. Unfortunately, I still got a segfault after those changes. I’ve done some debugging since, and now have a successfully authenticating VPN with the modified code (yeah)!
The segmentation fault was because the method signature for mschap_add_reply in opendir.c didn’t match the actual method in rlm_mschap.c. I changed the signature definition at the top to remove the ValuePair parameter; it seemed to match the current definition in rlm_mschap.c more correctly that way:
Thanks. I've pushed a fix to the code. It should now be in the v3.0.x branch on GitHub.
I’m planning on filing an issue with Apple on their documentation for migrating from Apple Server to the 3.0 version of FreeRADIUS. I’m honestly curious if either of you think that open directory authentication with 3.0 could work in any cases?
It worked prior to 2014, (3.0.6) when the erroneous change went in.
It seems to me like they never tested their instructions, but I admit I’m generalizing from one single use case (router authentication). As you can probably tell from some of my early e-mails, my ignorance about FreeRADIUS was quite high when I first engaged with this group, and I simply don’t know if there would be use cases where the missing MS-CHAP2-Success would not cause problems.
Lastly, when I file the issue with apple, would you be comfortable that I recommend that they change to a 3.0 version that contains whatever the final fixed code is? Their docs currently say 3.0.0 specifically. If so, would that be 3.0.18?
Yes.
Thanks again for your help, and sorry for any confusion I may have caused along the way.
Confusion is understandable. The most important thing is *learning*, and *fixing* problems. That is a skill which is much appreciated. Alan DeKok.
On Dec 3, 2018, at 6:26 AM, Eric Wittle <eric@wittle.net> wrote:
OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:
Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
The debug log you posted shows that the user was authenticated. And there was no error. Alan DeKok.
participants (5)
-
Adam Bishop -
Alan DeKok -
Eric Wittle -
Matthew Newton -
Paul Thornton