Hi there, I have been googling and searching the archives for help - no luck so far. I am trying to get Mac OS X 10.5.4 Server to authenticate against the Open Directory in order to provide "http://eduroam.org" service - so far with no luck. I AM able to authenticate against my hardcoded users in the /users file so I know that part (most?) of the setup is working (firewall, proxying etc). Running radiusd in debug mode: (sudo /usr/sbin/radiusd -X -f) gives this good debug info (please help me find my problem as I am not yet an expert within the RADIUS - yet :-) Testclient is also Mac OS X 10.5.4 though a Client - not a Server :) rad_recv: Access-Request packet from host 130.225.242.107:1814, id=26, length=201 Received packet from 130.225.242.107 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 130.225.242.107:1814, id=27, length=201 Received packet from 130.225.242.107 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 130.225.242.107:1814, id=28, length=201 Received packet from 130.225.242.107 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 26 with timestamp 48b8514f Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 27 with timestamp 48b85151 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 28 with timestamp 48b85153 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 130.225.242.106:1814, id=19, length=201 User-Name = "testuser@bric.dk" Calling-Station-Id = "00-14-51-7F-C3-A2" Called-Station-Id = "00-0B-85-84-19-E0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.17.1.4 NAS-Identifier = "Cisco_ea:68:a3" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "\000800" EAP-Message = 0x0203001501746573747573657240627269632e646b Message-Authenticator = 0x5216ae078ddb62a4e787498caba6c2f6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: Looking up realm "bric.dk" for User-Name = "testuser@bric.dk" rlm_realm: Found realm "bric.dk" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm bric.dk rlm_realm: Adding Realm = "bric.dk" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 3 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 130.225.242.106 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 19 to 130.225.242.106 port 1814 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010400061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6b55b82a65c27423545059bd72c3a1a3 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 130.225.242.106:1814, id=20, length=310 User-Name = "testuser@bric.dk" Calling-Station-Id = "00-14-51-7F-C3-A2" Called-Station-Id = "00-0B-85-84-19-E0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.17.1.4 NAS-Identifier = "Cisco_ea:68:a3" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "\000800" EAP-Message = 0x0204007015800000006616030100610100005d030148b8515f5a170a84693976f3002d3d2f17b996dfb6a11461d76e12aa04c823b1000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 State = 0x6b55b82a65c27423545059bd72c3a1a3 Message-Authenticator = 0x2290f9444384fa8a336e277b8f63f4a5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: Looking up realm "bric.dk" for User-Name = "testuser@bric.dk" rlm_realm: Found realm "bric.dk" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm bric.dk rlm_realm: Adding Realm = "bric.dk" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 4 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 130.225.242.106 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0205], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 20 to 130.225.242.106 port 1814 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0105026c158000000262160301004a02000046030148b8515fe87904cb4446203056b73fd1aa5ba41024828ee331b8ec32a39a1e5b20cef766ec6a5dce450efd2bb291ec7b40b0f4030813d956b6caf6653d6165e6f8002f0016030102050b0002010001fe0001fb308201f730820160a00302010202043d6c7d37300b06092a864886f70d0101053030310d300b06035504030c0474657374310d300b060355040a0c04427269633110300e060355040b0c07627269632e646b301e170d3037313232303030313935355a170d3038313131383231303734305a3030310d300b06035504030c0474657374310d300b060355040a0c0442726963311030 EAP-Message = 0x0e060355040b0c07627269632e646b30819f300d06092a864886f70d010101050003818d0030818902818100b528df96ddfa57a15ea58d4e10a91abaf7593617eb2678914c78a75f7a46f1871b1f6ed38cd1cfa5f6f98cb40d439d8b065dab0225408e6e5089b6bff5a5f8188d9ed6e48eb7890c1a05d38babe9d5f7e8824400e8d84713c1eb3bed51958cec1f2bffd25c58ee07f0c8c86ba191bdeae66859cde52751dc3679d4363a0e75170203010001a320301e300b0603551d0f0404030202b4300f0603551d130101ff04053003010100300d06092a864886f70d010105050003818100174fa69b358ee0e1e5334a00b51cbe7544cde878d7c81e EAP-Message = 0x8f7f6e4baf89af1d373dbfe40df55287642014d4918bec674b195de4d5ebcd57496fb21acffdcc4947db69f77a837ff8337c302cb8daef2c2273b33f92d0b5565939dc09fadd01e3bac3f88eb1a14e3d18aa2f66fedac03fda91cc14e9bc346acce1dc7295f117ef3316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7a08498b7d8fd373619e637a6b9497f Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 130.225.242.106:1814, id=21, length=406 User-Name = "testuser@bric.dk" Calling-Station-Id = "00-14-51-7F-C3-A2" Called-Station-Id = "00-0B-85-84-19-E0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.17.1.4 NAS-Identifier = "Cisco_ea:68:a3" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "\000800" EAP-Message = 0x020500d01580000000c616030100861000008200809c6256be59d58444084217ef937e20ab4e9addb1d7a71164b4bdb4dd90f9c51cebc2c3d0f966d9ae13036119cf961595f38b28ea311c563f363836b99c0eff13b77e110076d212203447dcd9889852f9f8d2b00a161bebe33abca071a91f9020d16a4493c0f823809ad6c3f27235f881029ca6dbe15ccef1c1ee9fd8b7e01e5a14030100010116030100309904a5ef25e86c0ff9c272ad5540fc6e6c9cb1c478a821a9e403953262bd772da137dd3360670763c1b23de636783813 State = 0xa7a08498b7d8fd373619e637a6b9497f Message-Authenticator = 0xa300f3c74dfa418d42a8476478f7004f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: Looking up realm "bric.dk" for User-Name = "testuser@bric.dk" rlm_realm: Found realm "bric.dk" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm bric.dk rlm_realm: Adding Realm = "bric.dk" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 5 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 130.225.242.106 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 21 to 130.225.242.106 port 1814 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0106004515800000003b14030100010116030100307324aca9a0624587c31701d7b81b24d1e2c097d5ce09f15c0453da9c701026b1becb4154c55342e02d2ce85c2b40ea23 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfb62e9c7f0b887914d1f617cc70a339 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 130.225.242.106:1814, id=22, length=357 User-Name = "testuser@bric.dk" Calling-Station-Id = "00-14-51-7F-C3-A2" Called-Station-Id = "00-0B-85-84-19-E0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.17.1.4 NAS-Identifier = "Cisco_ea:68:a3" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "\000800" EAP-Message = 0x0206009f1580000000951703010090b7d3eb1b77b7775c8190cebfb411d21e6627e9821f86d356f60efbea7c6497dc66664ceb21febfbf59b80227b6cb777d2e4c6051e8af54229d35c254d796f4d6f0e1bfe716919511042be43818729094631ebcff50c771ffc2e6df73e0c709c28830d6b82db4df8110839e0c4b153b28030486f23d112d509b68e612d592eabf5f202b68c70ddfaf2da06d3e441a8eff State = 0xcfb62e9c7f0b887914d1f617cc70a339 Message-Authenticator = 0x4d0c9e4196d02fceeaf413d2586fefbf Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: Looking up realm "bric.dk" for User-Name = "testuser@bric.dk" rlm_realm: Found realm "bric.dk" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm bric.dk rlm_realm: Adding Realm = "bric.dk" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 159 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 6 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 130.225.242.106 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "testuser@bric.dk" MS-CHAP-Challenge = 0x63a3c34cf7df7e1ce1847c548b4c01c7 MS-CHAP2-Response = 0xe1006877cd5e3a28368d5bf9531c77e811a700000000000000004016c5470ee27eb869fd7d9d0093ffa247bdb4e6a2b89fe4 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "testuser@bric.dk" MS-CHAP-Challenge = 0x63a3c34cf7df7e1ce1847c548b4c01c7 MS-CHAP2-Response = 0xe1006877cd5e3a28368d5bf9531c77e811a700000000000000004016c5470ee27eb869fd7d9d0093ffa247bdb4e6a2b89fe4 FreeRADIUS-Proxied-To = 127.0.0.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 6 rlm_realm: Looking up realm "bric.dk" for User-Name = "testuser@bric.dk" rlm_realm: Found realm "bric.dk" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm bric.dk rlm_realm: Adding Realm = "bric.dk" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 6 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 236 radius_xlat: 'testuser@bric.dk' modcall[authorize]: module "files" returns ok for request 6 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 127.0.0.1 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 6 modcall: leaving group authorize (returns ok) for request 6 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testuser@bric.dk with NT-Password rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication. rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0 rlm_osx_od: ds_mschap_auth: getUserNodeRef failed modcall[authenticate]: module "mschap" returns fail for request 6 modcall: leaving group MS-CHAP (returns fail) for request 6 auth: Failed to validate the user. Login incorrect: [testuser@bric.dk/<no User-Password attribute>] (from client localhost port 0) TTLS: Got tunneled reply RADIUS code 3 User-Name = "testuser@bric.dk" TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 6 modcall: leaving group authenticate (returns invalid) for request 6 auth: Failed to validate the user. Login incorrect: [testuser@bric.dk/<no User-Password attribute>] (from client tld-1 port 29 cli 00-14-51-7F-C3-A2) Delaying request 6 for 1 seconds Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 130.225.242.106:1814, id=23, length=357 User-Name = "testuser@bric.dk" Calling-Station-Id = "00-14-51-7F-C3-A2" Called-Station-Id = "00-0B-85-84-19-E0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.17.1.4 NAS-Identifier = "Cisco_ea:68:a3" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "\000800" EAP-Message = 0x0206009f1580000000951703010090b7d3eb1b77b7775c8190cebfb411d21e6627e9821f86d356f60efbea7c6497dc66664ceb21febfbf59b80227b6cb777d2e4c6051e8af54229d35c254d796f4d6f0e1bfe716919511042be43818729094631ebcff50c771ffc2e6df73e0c709c28830d6b82db4df8110839e0c4b153b28030486f23d112d509b68e612d592eabf5f202b68c70ddfaf2da06d3e441a8eff State = 0xcfb62e9c7f0b887914d1f617cc70a339 Message-Authenticator = 0x2535af39d3c8b25b89693657df5323ba Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: Looking up realm "bric.dk" for User-Name = "testuser@bric.dk" rlm_realm: Found realm "bric.dk" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm bric.dk rlm_realm: Adding Realm = "bric.dk" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 6 length 159 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 7 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 130.225.242.106 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Login incorrect: [testuser@bric.dk/<no User-Password attribute>] (from client tld-1 port 29 cli 00-14-51-7F-C3-A2) Delaying request 7 for 1 seconds Finished request 7 Going to the next request --- Walking the entire request list --- Sending Access-Reject of id 22 to 130.225.242.106 port 1814 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 19 with timestamp 48b8515f Cleaning up request 4 ID 20 with timestamp 48b8515f Cleaning up request 5 ID 21 with timestamp 48b8515f Sending Access-Reject of id 23 to 130.225.242.106 port 1814 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 22 with timestamp 48b85161 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 23 with timestamp 48b85163 Nothing to do. Sleeping until we see a request. Any suggestion are more than welcome(!) TvE
modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testuser@bric.dk with NT-Password rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication.
What is the password entry for this user in ldap? Is it encrypted? Ivan Kalik Kalik Informatika ISP
On Fri, Aug 29, 2008 at 11:57 PM, Ivan Kalik <tnt@kalik.net> wrote:
modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testuser@bric.dk with NT-Password rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication.
What is the password entry for this user in ldap? Is it encrypted?
Ivan Kalik Kalik Informatika ISP
The password are stored in the "default OS X Server way" for a shared domain. This is in what Apple calls Open Directory: meaning that the LDAP stores a pointer (aka a password slot) which references the actual password which is stored in a database seperate from the LDAP. Details can be found on page 41 in this document: http://images.apple.com/server/macosx/docs/Open_Directory_Admin_v10.5.pdf This mechanism is what is working "out of the box". Earlier on I made a test environment where this worked - the difference being the test environment was a server and an access point communicating directly. Now - the real scenario - the server is working in what I think is called proxy mode, the authentication requests does not originate directly from the access point, but is "relayed" (my best description) via the Eduroam DK top level servers. NB.: I suspect that the LDAP is not even queried, I am not yet able to find any clues in the logfiles indicating anything else :( - TvE
On Sat, Aug 30, 2008 at 9:13 AM, Thomas von Eyben <thomasvoneyben@gmail.com> wrote:
On Fri, Aug 29, 2008 at 11:57 PM, Ivan Kalik <tnt@kalik.net> wrote:
modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testuser@bric.dk with NT-Password rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication.
What is the password entry for this user in ldap? Is it encrypted?
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testuser@bric.dk with NT-Password rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication. rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0 THIS: rlm_osx_od: ds_mschap_auth: getUserNodeRef failed looks like radius is unable to talk to Apples Open Directory… - TvE
rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0
THIS: rlm_osx_od: ds_mschap_auth: getUserNodeRef failed looks like radius is unable to talk to Apples Open Directory
I don't see why. opendir.c (part of the source code that deals with mschap authentication to OpenDirectory) is provided by Apple. You might need to take it up with them. Perhaps something changed in the latest OS version (code is a year old). Ivan Kalik Kalik Informatika ISP
I have now done a lot of debugging with my OS X Server + Open Directory Users setup: Using an Apple Access Point AND using Apple's Server Admin management tool to configure radiusd I am able to authenticate to Open Directory users BUT only when I provide my shortname without the realm/domain name. EG Authenticating as user "u1" works, but authenticating as user "u1@voneyben.net" does not work. I now know that it IS possible to authenticate towards OD :) Unfortunately I am unable to figure out how to change the configuration to solve my problem authenticating users like "u1@voneyben.net" A complete debug is available here: http://voneyben.net/radius/auth-u1-ok.txt http://voneyben.net/radius/auth-u1@voneyben.net-bad.txt When authenticating ("u1") is done correctly this part looks interesting: rlm_realm: No '@' in User-Name = "u1", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "u1" rlm_realm: Proxying request from user u1 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. When authenticating (u1@voneyben.net) is going bad this part looks interesting: modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "voneyben.net" for User-Name = "u1@voneyben.net" rlm_realm: Found realm "voneyben.net" rlm_realm: Adding Stripped-User-Name = "u1" rlm_realm: Proxying request from user u1 to realm voneyben.net rlm_realm: Adding Realm = "voneyben.net" rlm_realm: Authentication realm is LOCAL. So how do I modify proxy.conf to get the "u1@voneyben.net" to be handled the same way as "u1", meaning to get Apple's Open Directory to do it's thing :) Currently the realm in proxy.conf looks like this: realm voneyben.net { type = radius authhost = LOCAL accthost = LOCAL } The complete config files are available here; http://voneyben.net/radius/proxy.conf http://voneyben.net/radius/radiusd.conf http://voneyben.net/radius/eap.conf And - to save a lot of scrolling - without the comments: http://voneyben.net/radius/proxy-no-comments.conf http://voneyben.net/radius/radiusd-no-comments.conf http://voneyben.net/radius/eap-no-comments.conf - TvE
You are using outdated version of the server which doesn't support virtual servers. In current version eap is processed by the default virtual server while inner tunnel is processed by - inner-tunnel virtual server. If you don't want to upgrade you can emulate this by using - real ones. Set up another radius server with identical configuration which will process inner tunnel requests. Add realm inner-tunnel to the current server proxy.conf which will proxy requests to the new server. Add this to users file: DEFAULT FreeRADIUS-Proxied-To = 127.0.0.1, Proxy-To-Realm := "inner-tunnel" In that way stripped username will be sent to inner-tunnel server for authentication (which you have showed to work). You can't simply rewrite User-Name with Stripped-User-Name in your current setup because EAP will fail. Ivan Kalik Kalik Informatika ISP Dana 1/9/2008, "Thomas von Eyben" <thomasvoneyben@gmail.com> piše:
I have now done a lot of debugging with my OS X Server + Open Directory Users setup:
Using an Apple Access Point AND using Apple's Server Admin management tool to configure radiusd I am able to authenticate to Open Directory users BUT only when I provide my shortname without the realm/domain name. EG Authenticating as user "u1" works, but authenticating as user "u1@voneyben.net" does not work.
I now know that it IS possible to authenticate towards OD :) Unfortunately I am unable to figure out how to change the configuration to solve my problem authenticating users like "u1@voneyben.net"
A complete debug is available here: http://voneyben.net/radius/auth-u1-ok.txt http://voneyben.net/radius/auth-u1@voneyben.net-bad.txt
When authenticating ("u1") is done correctly this part looks interesting: rlm_realm: No '@' in User-Name = "u1", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "u1" rlm_realm: Proxying request from user u1 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL.
When authenticating (u1@voneyben.net) is going bad this part looks interesting: modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "voneyben.net" for User-Name = "u1@voneyben.net" rlm_realm: Found realm "voneyben.net" rlm_realm: Adding Stripped-User-Name = "u1" rlm_realm: Proxying request from user u1 to realm voneyben.net rlm_realm: Adding Realm = "voneyben.net" rlm_realm: Authentication realm is LOCAL.
So how do I modify proxy.conf to get the "u1@voneyben.net" to be handled the same way as "u1", meaning to get Apple's Open Directory to do it's thing :)
Currently the realm in proxy.conf looks like this: realm voneyben.net { type = radius authhost = LOCAL accthost = LOCAL }
The complete config files are available here; http://voneyben.net/radius/proxy.conf http://voneyben.net/radius/radiusd.conf http://voneyben.net/radius/eap.conf
And - to save a lot of scrolling - without the comments: http://voneyben.net/radius/proxy-no-comments.conf http://voneyben.net/radius/radiusd-no-comments.conf http://voneyben.net/radius/eap-no-comments.conf
- TvE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2008/9/2 Ivan Kalik <tnt@kalik.net>:
You are using outdated version of the server which doesn't support virtual servers. In current version eap is processed by the default virtual server while inner tunnel is processed by - inner-tunnel virtual server. If you don't want to upgrade you can emulate this by using - real ones.
Set up another radius server with identical configuration which will process inner tunnel requests. Add realm inner-tunnel to the current server proxy.conf which will proxy requests to the new server. Add this to users file:
DEFAULT FreeRADIUS-Proxied-To = 127.0.0.1, Proxy-To-Realm := "inner-tunnel"
In that way stripped username will be sent to inner-tunnel server for authentication (which you have showed to work). You can't simply rewrite User-Name with Stripped-User-Name in your current setup because EAP will fail.
Ivan Kalik Kalik Informatika ISP
Thank you for the detailed analysis and explanation. For now I think I'll stick with the Apple supplied version of radiusd - perhaps Mac OS X Server 10.5.5 will include a newer radiusd(!) - When Apple (or I) updates to the current version of radiusd, will my current configuration then work as expected or how will I need to alter the configuration? This morning I found an acceptable workaround that I will stick to for the moment: That is to create an alias for the user in the Open Directory. The user "u1" is now also known as "u1@voneyben.net" hence it will be authenticated ;-). I "only" need to alter a few houndred users (need to make a script i guess :), but I'll get a "cleaner" setup by only being dependant upon _one_ server for the radius authentication. Thank you again for you anlysis! - TvE
Am 30.08.2008 um 09:13 schrieb Thomas von Eyben:
On Fri, Aug 29, 2008 at 11:57 PM, Ivan Kalik <tnt@kalik.net> wrote:
modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM- Password. rlm_mschap: No User-Password configured. Cannot create NT- Password. rlm_mschap: Told to do MS-CHAPv2 for testuser@bric.dk with NT- Password rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication.
What is the password entry for this user in ldap? Is it encrypted?
Ivan Kalik Kalik Informatika ISP
The password are stored in the "default OS X Server way" for a shared domain. This is in what Apple calls Open Directory: meaning that the LDAP stores a pointer (aka a password slot) which references the actual password which is stored in a database seperate from the LDAP.
Details can be found on page 41 in this document: http://images.apple.com/server/macosx/docs/ Open_Directory_Admin_v10.5.pdf
This mechanism is what is working "out of the box". Earlier on I made a test environment where this worked - the difference being the test environment was a server and an access point communicating directly. Now - the real scenario - the server is working in what I think is called proxy mode, the authentication requests does not originate directly from the access point, but is "relayed" (my best description) via the Eduroam DK top level servers.
NB.: I suspect that the LDAP is not even queried, I am not yet able to find any clues in the logfiles indicating anything else :(
All this does not seem to indicate that neither a NT password (a MD4 hash of the UTF-16LE encoding of the password) nor a cleartext version of the password (so that the NT password can be calculated) is available for processing MSCHAP. Page 41 would imply (at least for me) that MD5 hashes are available, which cannot be used for MSCHAP, as a hash cannot be "un-encrypted".
- TvE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
participants (3)
-
Ivan Kalik -
Nicolas Goutte -
Thomas von Eyben