MSCHAPv2 fails to authenticate against OpenDirectory with error 5100 (0x13ec)
Dear FreeRADIUS users, I'm trying to follow the instructions in Dan Barrett's article <https://www.yesdevnull.net/2013/10/os-x-mavericks-server-setting-up-freeradius/> to get the distribution of FreeRADIUS (v2.2.0) that ships with OS X Server (v4.1) to authenticate Open Directory users via non-Apple authenticators. However, the MSCHAPv2 module always fails as follows: [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: username [mschap] Client is using MS-CHAPv2 for username, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Doing OD MSCHAPv2 auth [mschap] Authentication failed for username: error 5100 (0x13ec): unknown error I can't find any documentation on what might have caused this error and am not sure how to progress from here. Your thoughts would be most welcome! Kind regards, -- Alan
On Jun 10, 2015, at 7:58 AM, Alan Egerton <eggyal@gmail.com> wrote:
I'm trying to follow the instructions in Dan Barrett's article <https://www.yesdevnull.net/2013/10/os-x-mavericks-server-setting-up-freeradius/> to get the distribution of FreeRADIUS (v2.2.0) that ships with OS X Server (v4.1) to authenticate Open Directory users via non-Apple authenticators.
It *should* just work. After all, it's supposed to be tested by Apple before they ship it.
However, the MSCHAPv2 module always fails as follows:
[mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: username [mschap] Client is using MS-CHAPv2 for username, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Doing OD MSCHAPv2 auth [mschap] Authentication failed for username: error 5100 (0x13ec): unknown error
I can't find any documentation on what might have caused this error and am not sure how to progress from here. Your thoughts would be most welcome!
I can't find any documentation, either. I suggest trying to install 3.0.8. We've put more messages into the module which *should* help track down exactly what's going wrong. Alan DeKok.
On Wed, Jun 10, 2015 at 1:49 PM, Alan DeKok <aland@deployingradius.com> wrote:
I suggest trying to install 3.0.8. We've put more messages into the module which *should* help track down exactly what's going wrong.
Okay, to attempt with 3.0.8 I did the following: 1. Downloaded and extracted ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.8.tar.gz 2. Reversed the logic on line 363 of src/modules/rlm_opendirectory/rlm_opendirectory.c: rad_getgid() is defined in lines 1419 to 1437 of src/main/util.c, and clearly returns 0 on success rather than error—this file appears to assume the reverse, and was leading to erroneous claims that the SACL did not exist. 3. ./configure --with-experimental-modules 4. Added "#define WITH_OPEN_DIRECTORY 1" to src/modules/rlm_mschap/config.h (there doesn't appear to be a configure option for it). 5. make && make install 6. Uncommented "use_open_directory = yes" in /usr/local/etc/raddb/mods-available/mschap 7. sudo /usr/local/sbin/radiusd -X But I now see the following error: (8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (8) mschap: No NT-Password configured. Trying OpenDirectory Authentication (8) mschap: OD username_string = testuser, OD shortUserName=testuser (length = 8) rlm_mschap: authentication failed -14091 (8) [mschap] = reject (8) } # Auth-Type MS-CHAP = reject I don't know whether this is the same problem as that which I was previously experiencing under v2.2.0 (the error code is obviously different), but in any event this error is no more meaningful to me than before... so I'm just as stuck! Grateful for any further thoughts or suggestions. Kind regards, Alan
On Jun 10, 2015, at 12:15 PM, Alan Egerton <eggyal@gmail.com> wrote:
On Wed, Jun 10, 2015 at 1:49 PM, Alan DeKok <aland@deployingradius.com> wrote:
I suggest trying to install 3.0.8. We've put more messages into the module which *should* help track down exactly what's going wrong.
Okay, to attempt with 3.0.8 I did the following:
1. Downloaded and extracted ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.8.tar.gz
2. Reversed the logic on line 363 of src/modules/rlm_opendirectory/rlm_opendirectory.c: rad_getgid() is defined in lines 1419 to 1437 of src/main/util.c, and clearly returns 0 on success rather than error—this file appears to assume the reverse, and was leading to erroneous claims that the SACL did not exist.
I've pushed a fix for that.
3. ./configure --with-experimental-modules
4. Added "#define WITH_OPEN_DIRECTORY 1" to src/modules/rlm_mschap/config.h (there doesn't appear to be a configure option for it).
I've pushed a fix for that.
But I now see the following error:
(8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (8) mschap: No NT-Password configured. Trying OpenDirectory Authentication (8) mschap: OD username_string = testuser, OD shortUserName=testuser (length = 8) rlm_mschap: authentication failed -14091
I've pushed a slight fix for that. It now prints a bit better name for the error.
(8) [mschap] = reject (8) } # Auth-Type MS-CHAP = reject
I don't know whether this is the same problem as that which I was previously experiencing under v2.2.0 (the error code is obviously different), but in any event this error is no more meaningful to me than before... so I'm just as stuck!
From looking around the net... the error seems to be that the passwords are not stored in clear-text. So OpenDirectory can't do MS-CHAP authentication. Honestly, the best approach is to use OpenDirectory as an LDAP server. Ignore the OpenDirectory API. Just let FreeRADIUS grab the password from LDAP, and then use that to authenticate. Alan DeKok.
On Wednesday, 10 June 2015, Alan DeKok <aland@deployingradius.com> wrote:
Honestly, the best approach is to use OpenDirectory as an LDAP server. Ignore the OpenDirectory API. Just let FreeRADIUS grab the password from LDAP, and then use that to authenticate.
I'm pretty sure that Open Directory only stores password hashes, so the plaintext won't be available over LDAP... Perhaps EAP/PAP is the only option? Alan
-- -- Alan
On Jun 10, 2015, at 2:34 PM, Alan Egerton <eggyal@gmail.com> wrote:
I'm pretty sure that Open Directory only stores password hashes, so the plaintext won't be available over LDAP...
You should be able to change that.
Perhaps EAP/PAP is the only option?
I don't think that is an option. The authentication method is controlled by the end user / NAS, not FreeRADIUS. Alan DeKok.
We’re an all-Apple campus and we currently use OpenDirectory as our central auth system. This includes being the backend for our wireless auth using EAP-PEAP/MSCHAPv2. Our system does work, so this is possible. One thing that we tried, failed, and gave up on was building a modern FR build to talk directly to OpenDirectory. There was too much secret sauce, and we’ve found that messing with the Apple servers too much causes weirdness and/or failures that are difficult to diagnose or get help with. We ended up building a modern FR on Linux and then proxying all requests to the Apple-supplied FR server running on the OpenDirectory machine. This let us change all the FR configuration we wanted to (on the linux box) and left the Apple box as stock as possible. You just need to add a client definition on the Apple server using their ‘radiusconfig’ tool: sudo radiusconfig -addclient <ipaddr of parodying box> <short name of parodying box> other In terms of your MSCHAP error, that does still sound a little odd. Older versions of OD (pre 10.7?) used to have configuration options for which recoverable hashes you wanted to store your passwords with. If you didn’t check the MSCHAP box, then you couldn’t do that form of auth. However, recent builds no longer have this option, so I’m guessing that OD stores passwords in a recoverable form by default. Again, our stock build does allow MSCHAP authentication, so I’m not sure why you’d get that error. Do you have another OD server you can spin up to test a clean install? Our experience (4 different OpenDirectory servers) has been that you just add the radius client and authentication “just works” for PEAP/MSCHAPv2. Jason
On 12 Jun 2015, at 21:34, Jason Healy <jhealy@logn.net> wrote:
We’re an all-Apple campus and we currently use OpenDirectory as our central auth system. This includes being the backend for our wireless auth using EAP-PEAP/MSCHAPv2. Our system does work, so this is possible.
One thing that we tried, failed, and gave up on was building a modern FR build to talk directly to OpenDirectory. There was too much secret sauce, and we’ve found that messing with the Apple servers too much causes weirdness and/or failures that are difficult to diagnose or get help with.
We ended up building a modern FR on Linux and then proxying all requests to the Apple-supplied FR server running on the OpenDirectory machine. This let us change all the FR configuration we wanted to (on the linux box) and left the Apple box as stock as possible. You just need to add a client definition on the Apple server using their ‘radiusconfig’ tool:
sudo radiusconfig -addclient <ipaddr of parodying box> <short name of parodying box> other
In terms of your MSCHAP error, that does still sound a little odd. Older versions of OD (pre 10.7?) used to have configuration options for which recoverable hashes you wanted to store your passwords with. If you didn’t check the MSCHAP box, then you couldn’t do that form of auth. However, recent builds no longer have this option, so I’m guessing that OD stores passwords in a recoverable form by default. Again, our stock build does allow MSCHAP authentication, so I’m not sure why you’d get that error.
Do you have another OD server you can spin up to test a clean install? Our experience (4 different OpenDirectory servers) has been that you just add the radius client and authentication “just works” for PEAP/MSCHAPv2.
There's code sitting in a branch off of a very old version of v2, which seems to deal explicitly with NTLM against Open Directory. It uses a newer framework than the existing rlm_opendirectory. Apple contributed it back in 2011, but there was never significant interest in getting it merged. If someone is able to test (I can port it into v3.1.x), it would be nice to be able to authenticate against modern open directory servers. https://github.com/FreeRADIUS/freeradius-server/commit/6040566cfa969da1bce08... -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Actually I resolved the MS-CHAP error: the method was not enabled in our OD Password Server (perhaps this is now the default in Server v4, since we have no record of having disabled it). Enabling the method simply involved adding it the dsAttrTypeNative:apple-enabled-auth-mech attribute in the /config/dirserv OD record (and then changing user passwords in order to generate appropriate hashes). The Apple FR build is now working fine. Best, -- Alan On Saturday, 13 June 2015, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 12 Jun 2015, at 21:34, Jason Healy <jhealy@logn.net <javascript:;>> wrote:
We’re an all-Apple campus and we currently use OpenDirectory as our central auth system. This includes being the backend for our wireless auth using EAP-PEAP/MSCHAPv2. Our system does work, so this is possible.
One thing that we tried, failed, and gave up on was building a modern FR build to talk directly to OpenDirectory. There was too much secret sauce, and we’ve found that messing with the Apple servers too much causes weirdness and/or failures that are difficult to diagnose or get help with.
We ended up building a modern FR on Linux and then proxying all requests to the Apple-supplied FR server running on the OpenDirectory machine. This let us change all the FR configuration we wanted to (on the linux box) and left the Apple box as stock as possible. You just need to add a client definition on the Apple server using their ‘radiusconfig’ tool:
sudo radiusconfig -addclient <ipaddr of parodying box> <short name of parodying box> other
In terms of your MSCHAP error, that does still sound a little odd. Older versions of OD (pre 10.7?) used to have configuration options for which recoverable hashes you wanted to store your passwords with. If you didn’t check the MSCHAP box, then you couldn’t do that form of auth. However, recent builds no longer have this option, so I’m guessing that OD stores passwords in a recoverable form by default. Again, our stock build does allow MSCHAP authentication, so I’m not sure why you’d get that error.
Do you have another OD server you can spin up to test a clean install? Our experience (4 different OpenDirectory servers) has been that you just add the radius client and authentication “just works” for PEAP/MSCHAPv2.
There's code sitting in a branch off of a very old version of v2, which seems to deal explicitly with NTLM against Open Directory. It uses a newer framework than the existing rlm_opendirectory.
Apple contributed it back in 2011, but there was never significant interest in getting it merged.
If someone is able to test (I can port it into v3.1.x), it would be nice to be able to authenticate against modern open directory servers.
https://github.com/FreeRADIUS/freeradius-server/commit/6040566cfa969da1bce08...
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org <javascript:;>> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-- -- Alan
Actually I resolved the MS-CHAP error: the method was not enabled in our OD Password Server (perhaps this is now the default in Server v4, since we have no record of having disabled it).
Enabling the method simply involved adding it the dsAttrTypeNative:apple-enabled-auth-mech attribute in the /config/dirserv OD record (and then changing user passwords in order to generate appropriate hashes). The Apple FR build is now working fine.
This definitely needs documenting then. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi,
This definitely needs documenting then.
so long as its the right way of doing it :-) this document covers the same issue - various AuthMethods missing since Lion. added back with dscl command: https://discussions.apple.com/thread/6053980?tstart=0 alan
https://github.com/FreeRADIUS/freeradius-server/commit/101177893350adea19f3b... Already done. On Jun 13, 2015, at 11:59 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
Actually I resolved the MS-CHAP error: the method was not enabled in our OD Password Server (perhaps this is now the default in Server v4, since we have no record of having disabled it).
Enabling the method simply involved adding it the dsAttrTypeNative:apple-enabled-auth-mech attribute in the /config/dirserv OD record (and then changing user passwords in order to generate appropriate hashes). The Apple FR build is now working fine.
This definitely needs documenting then.
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Alan Egerton -
Arran Cudbard-Bell -
Jason Healy -
Stefan Paetow