Stripping the domain from the username
Hi all I would be grateful for some pointers with an issue I am experiencing at a customer's site. I need to strip the domain part of the username that users are authenticating with. For example, a user will type in bob@example.com during authentication to the wireless network, but the username at the backend in the directory system is just 'bob'. I know that this is a common request of freeradius and I have tried to configure it in the conf files, but clearly I am not doing something correctly. I can't seem to get the 'Stripped-User-Name' to be used where I expect it. If someone can prod me in the right direction, I'd really appreciate it. The actual domain name in the below text has been replaced with example.co.uk. sh-3.2# radiusd -X radiusd: FreeRADIUS Version 2.2.9, for host i386-apple-darwin13.0, built on Sep 15 2016 at 12:27:36 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /Library/Server/radius/raddb/radiusd.conf including configuration file /Library/Server/radius/raddb/proxy.conf including configuration file /Library/Server/radius/raddb/clients.conf including files in directory /Library/Server/radius/raddb/modules/ including configuration file /Library/Server/radius/raddb/modules/acct_unique including configuration file /Library/Server/radius/raddb/modules/always including configuration file /Library/Server/radius/raddb/modules/attr_filter including configuration file /Library/Server/radius/raddb/modules/attr_rewrite including configuration file /Library/Server/radius/raddb/modules/cache including configuration file /Library/Server/radius/raddb/modules/chap including configuration file /Library/Server/radius/raddb/modules/checkval including configuration file /Library/Server/radius/raddb/modules/counter including configuration file /Library/Server/radius/raddb/modules/cui including configuration file /Library/Server/radius/raddb/modules/detail including configuration file /Library/Server/radius/raddb/modules/ detail.example.com including configuration file /Library/Server/radius/raddb/modules/detail.log including configuration file /Library/Server/radius/raddb/modules/dhcp_sqlippool including configuration file /Library/Server/radius/raddb/sql/mysql/ippool-dhcp.conf including configuration file /Library/Server/radius/raddb/modules/digest including configuration file /Library/Server/radius/raddb/modules/dynamic_clients including configuration file /Library/Server/radius/raddb/modules/echo including configuration file /Library/Server/radius/raddb/modules/etc_group including configuration file /Library/Server/radius/raddb/modules/exec including configuration file /Library/Server/radius/raddb/modules/expiration including configuration file /Library/Server/radius/raddb/modules/expr including configuration file /Library/Server/radius/raddb/modules/files including configuration file /Library/Server/radius/raddb/modules/inner-eap including configuration file /Library/Server/radius/raddb/modules/ippool including configuration file /Library/Server/radius/raddb/modules/krb5 including configuration file /Library/Server/radius/raddb/modules/ldap including configuration file /Library/Server/radius/raddb/modules/linelog including configuration file /Library/Server/radius/raddb/modules/logintime including configuration file /Library/Server/radius/raddb/modules/mac2ip including configuration file /Library/Server/radius/raddb/modules/mac2vlan including configuration file /Library/Server/radius/raddb/modules/mschap including configuration file /Library/Server/radius/raddb/modules/ntlm_auth including configuration file /Library/Server/radius/raddb/modules/opendirectory including configuration file /Library/Server/radius/raddb/modules/otp including configuration file /Library/Server/radius/raddb/modules/pam including configuration file /Library/Server/radius/raddb/modules/pap including configuration file /Library/Server/radius/raddb/modules/passwd including configuration file /Library/Server/radius/raddb/modules/perl including configuration file /Library/Server/radius/raddb/modules/policy including configuration file /Library/Server/radius/raddb/modules/preprocess including configuration file /Library/Server/radius/raddb/modules/radrelay including configuration file /Library/Server/radius/raddb/modules/radutmp including configuration file /Library/Server/radius/raddb/modules/realm including configuration file /Library/Server/radius/raddb/modules/redis including configuration file /Library/Server/radius/raddb/modules/rediswho including configuration file /Library/Server/radius/raddb/modules/replicate including configuration file /Library/Server/radius/raddb/modules/smbpasswd including configuration file /Library/Server/radius/raddb/modules/smsotp including configuration file /Library/Server/radius/raddb/modules/soh including configuration file /Library/Server/radius/raddb/modules/sql_log including configuration file /Library/Server/radius/raddb/modules/sqlcounter_expire_on_login including configuration file /Library/Server/radius/raddb/modules/sradutmp including configuration file /Library/Server/radius/raddb/modules/unix including configuration file /Library/Server/radius/raddb/modules/wimax including configuration file /Library/Server/radius/raddb/eap.conf including configuration file /Library/Server/radius/raddb/sql.conf including configuration file /Library/Server/radius/raddb/sql/sqlite/dialup.conf including configuration file /Library/Server/radius/raddb/policy.conf including files in directory /Library/Server/radius/raddb/sites-enabled/ including configuration file /Library/Server/radius/raddb/sites-enabled/control-socket including configuration file /Library/Server/radius/raddb/sites-enabled/default including configuration file /Library/Server/radius/raddb/sites-enabled/inner-tunnel main { allow_core_dumps = no } including dictionary file /Library/Server/radius/raddb/dictionary main { name = "radiusd" prefix = "/Applications/Server.app/Contents/ServerRoot/usr" localstatedir = "/private/var" sbindir = "/Applications/Server.app/Contents/ServerRoot/usr/sbin" logdir = "/private/var/log/radius" run_dir = "/private/var" libdir = "/Applications/Server.app/Contents/ServerRoot/usr/lib/freeradius" radacctdir = "/private/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/private/var/radiusd.pid" checkrad = "/Applications/Server.app/Contents/ServerRoot/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm example.co.uk { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /Library/Server/radius/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /Library/Server/radius/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /Library/Server/radius/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /Library/Server/radius/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /Library/Server/radius/raddb/sql.conf sql { driver = "rlm_sql_sqlite" server = "localhost" port = "" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/private/var/log/radius/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "" accounting_start_query_alt = "" accounting_stop_query = "" accounting_stop_query_alt = "" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.40.92.126,shortname=SCH-WAP-02,secret=testing123 rlm_sql (sql): Adding client 10.40.92.126 (SCH-WAP-02, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.40.92.127,shortname=SCH-WAP-01,secret=testing123 rlm_sql (sql): Adding client 10.40.92.127 (SCH-WAP-01, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.40.92.125,shortname=SCH-WAP-03,secret=testing123 rlm_sql (sql): Adding client 10.40.92.125 (SCH-WAP-03, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.40.92.179,shortname=Test-SG300,secret=testing123 rlm_sql (sql): Adding client 10.40.92.179 (Test-SG300, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.40.92.121,shortname=SCH-SWI-04-T13,secret=testing123 rlm_sql (sql): Adding client 10.40.92.121 (SCH-SWI-04-T13, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.40.92.122,shortname=SCH-SWI-03-T12,secret=testing123 rlm_sql (sql): Adding client 10.40.92.122 (SCH-SWI-03-T12, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.40.92.124,shortname=SCH-SWI-01-T11,secret=testing123 rlm_sql (sql): Adding client 10.40.92.124 (SCH-SWI-01-T11, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.40.92.123,shortname=SCH-SWI-02-T12,secret=testing123 rlm_sql (sql): Adding client 10.40.92.123 (SCH-SWI-02-T12, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname= 192.168.236.32/28,shortname=clearpass,secret=HHNueA8LTj rlm_sql (sql): Adding client 192.168.236.32 (clearpass, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.40.92.251,shortname=nana,secret=HHNueA8LTj rlm_sql (sql): Adding client 10.40.92.251 (nana, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 } radiusd: #### Loading Virtual Servers #### server { # from file /Library/Server/radius/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Auth-Type = opendirectory Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /Library/Server/radius/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /Library/Server/radius/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /Library/Server/radius/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes use_open_directory = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /Library/Server/radius/raddb/modules/digest Module: Linked to module rlm_opendirectory Module: Instantiating module "opendirectory" from file /Library/Server/radius/raddb/modules/opendirectory Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /Library/Server/radius/raddb/modules/unix unix { radwtmp = "/private/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /Library/Server/radius/raddb/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/Library/Server/radius/raddb/certs" pem_file_type = yes private_key_file = "/Library/Server/radius/raddb/certs/server.key" certificate_file = "/Library/Server/radius/raddb/certs/server.crt" CA_file = "/Library/Server/radius/raddb/certs/server.crt" private_key_password = "whatever" dh_file = "/Library/Server/radius/raddb/certs/dh" random_file = "/Library/Server/radius/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" make_cert_command = "/Library/Server/radius/raddb/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /Library/Server/radius/raddb/modules/preprocess preprocess { huntgroups = "/Library/Server/radius/raddb/huntgroups" hints = "/Library/Server/radius/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /Library/Server/radius/raddb/huntgroups reading pairlist file /Library/Server/radius/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /Library/Server/radius/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /Library/Server/radius/raddb/modules/files files { usersfile = "/Library/Server/radius/raddb/users" acctusersfile = "/Library/Server/radius/raddb/acct_users" preproxy_usersfile = "/Library/Server/radius/raddb/preproxy_users" compat = "no" } reading pairlist file /Library/Server/radius/raddb/users reading pairlist file /Library/Server/radius/raddb/acct_users reading pairlist file /Library/Server/radius/raddb/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /Library/Server/radius/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /Library/Server/radius/raddb/modules/detail detail { detailfile = "/private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /Library/Server/radius/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/Library/Server/radius/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /Library/Server/radius/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /Library/Server/radius/raddb/modules/radutmp radutmp { filename = "/private/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /Library/Server/radius/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/Library/Server/radius/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /Library/Server/radius/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/private/var/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 53788 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /private/var/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=240, length=225 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0xcb3673c30e1a008614b794492d7bdc13 Proxy-State = 0x3230 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = " radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Proxying request from user radiustest to realm example.co.uk [suffix] Preparing to proxy authentication request to realm "example.co.uk" ++[suffix] = updated [eap] Request is supposed to be proxied to Realm example.co.uk. Not doing EAP. ++[eap] = noop ++[files] = noop [opendirectory] The host 192.168.236.44 does not have an access group. [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL [opendirectory] Setting Auth-Type = opendirectory ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 175 to 127.0.0.1 port 1812 User-Name = "radiustest" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3230 Proxy-State = 0x323430 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 175 to 127.0.0.1 port 1812 User-Name = "radiustest" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3230 Proxy-State = 0x323430 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=175, length=211 User-Name = "radiustest" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0x3501877b8486b13298815dbd61d54947 Proxy-State = 0x3230 Proxy-State = 0x323430 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "radiustest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 34 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [opendirectory] The host 127.0.0.1 does not have an access group. [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Identity (radiustest@example.co.uk) does not match User-Name (radiustest). Authentication failed. [eap] Failed in handler ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [radiustest/<via Auth-Type = EAP>] (from client localhost port 0 cli 109ADDC49B75) Using Post-Auth-Type Reject # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group REJECT { ++? if ("%{EAP-Message}") expand: %{EAP-Message} -> 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b ? Evaluating ("%{EAP-Message}") -> TRUE ++? if ("%{EAP-Message}") -> TRUE ++if ("%{EAP-Message}") { +++update reply { expand: %{Message-Authenticator} -> 0x3501877b8486b13298815dbd61d54947 +++} # update reply = noop ++} # if ("%{EAP-Message}") = noop [attr_filter.access_reject] expand: %{User-Name} -> radiustest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 175 to 127.0.0.1 port 1814 Proxy-State = 0x3230 Proxy-State = 0x323430 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=175, length=53 Proxy-State = 0x3230 Proxy-State = 0x323430 EAP-Message = 0x04040004 Message-Authenticator = 0xe9f8dcb50c101f38f7426e72c427df74 # Executing section post-proxy from file /Library/Server/radius/raddb/sites-enabled/default +group post-proxy { [eap] No pre-existing handler found ++[eap] = noop +} # group post-proxy = noop Login incorrect (Home Server says so): [radiustest@example.co.uk/<via Auth-Type = opendirectory>] (from client clearpass port 0 cli 109ADDC49B75) Using Post-Auth-Type Reject # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group REJECT { ++? if ("%{EAP-Message}") expand: %{EAP-Message} -> 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b ? Evaluating ("%{EAP-Message}") -> TRUE ++? if ("%{EAP-Message}") -> TRUE ++if ("%{EAP-Message}") { +++update reply { expand: %{Message-Authenticator} -> 0xcb3673c30e1a008614b794492d7bdc13 +++} # update reply = noop ++} # if ("%{EAP-Message}") = noop [attr_filter.access_reject] expand: %{User-Name} -> radiustest@example.co.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Sending Access-Reject of id 240 to 192.168.236.44 port 1815 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3230 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=241, length=225 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0xf8eff948324a373824b6eeb749b7a675 Proxy-State = 0x3231 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = " radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Proxying request from user radiustest to realm example.co.uk [suffix] Preparing to proxy authentication request to realm "example.co.uk" ++[suffix] = updated [eap] Request is supposed to be proxied to Realm example.co.uk. Not doing EAP. ++[eap] = noop ++[files] = noop [opendirectory] The host 192.168.236.44 does not have an access group. [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL [opendirectory] Setting Auth-Type = opendirectory ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 193 to 127.0.0.1 port 1812 User-Name = "radiustest" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3231 Proxy-State = 0x323431 Proxying request 2 to home server 127.0.0.1 port 1812 Sending Access-Request of id 193 to 127.0.0.1 port 1812 User-Name = "radiustest" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3231 Proxy-State = 0x323431 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=193, length=211 User-Name = "radiustest" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0xebdffca338692d279cfd1828df9606fe Proxy-State = 0x3231 Proxy-State = 0x323431 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "radiustest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 34 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [opendirectory] The host 127.0.0.1 does not have an access group. [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Identity (radiustest@example.co.uk) does not match User-Name (radiustest). Authentication failed. [eap] Failed in handler ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [radiustest/<via Auth-Type = EAP>] (from client localhost port 0 cli 109ADDC49B75) Using Post-Auth-Type Reject # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group REJECT { ++? if ("%{EAP-Message}") expand: %{EAP-Message} -> 0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b ? Evaluating ("%{EAP-Message}") -> TRUE ++? if ("%{EAP-Message}") -> TRUE ++if ("%{EAP-Message}") { +++update reply { expand: %{Message-Authenticator} -> 0xebdffca338692d279cfd1828df9606fe +++} # update reply = noop ++} # if ("%{EAP-Message}") = noop [attr_filter.access_reject] expand: %{User-Name} -> radiustest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 193 to 127.0.0.1 port 1814 Proxy-State = 0x3231 Proxy-State = 0x323431 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=193, length=53 Proxy-State = 0x3231 Proxy-State = 0x323431 EAP-Message = 0x04040004 Message-Authenticator = 0xee1e8865c1c3badd0ed55be65dc5dbe9 # Executing section post-proxy from file /Library/Server/radius/raddb/sites-enabled/default +group post-proxy { [eap] No pre-existing handler found ++[eap] = noop +} # group post-proxy = noop Login incorrect (Home Server says so): [radiustest@example.co.uk/<via Auth-Type = opendirectory>] (from client clearpass port 0 cli 109ADDC49B75) Using Post-Auth-Type Reject # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group REJECT { ++? if ("%{EAP-Message}") expand: %{EAP-Message} -> 0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b ? Evaluating ("%{EAP-Message}") -> TRUE ++? if ("%{EAP-Message}") -> TRUE ++if ("%{EAP-Message}") { +++update reply { expand: %{Message-Authenticator} -> 0xf8eff948324a373824b6eeb749b7a675 +++} # update reply = noop ++} # if ("%{EAP-Message}") = noop [attr_filter.access_reject] expand: %{User-Name} -> radiustest@example.co.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Sending Access-Reject of id 241 to 192.168.236.44 port 1815 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3231 Finished request 2. Going to the next request Cleaning up request 1 ID 175 with timestamp +43 Cleaning up request 0 ID 240 with timestamp +43 Waking up in 4.9 seconds. Thank you Stuart -- Crossover Solutions Ltd Pound House, 62A Highgate High Street, London, N6 5HX www.crossover.solutions <http://crossover.solutions> • 020 3637 4655 Registered in England and Wales No: 9593204 Registered address as stated Members of the Apple Consultants Network <https://consultants.apple.com/uk/988258> Please submit new support requests to support@crossover.solutions <mailto:support@crossover.solutions>
On Jan 12, 2020, at 5:48 AM, Stuart Ramdeen <stuart@crossover.solutions> wrote:
I would be grateful for some pointers with an issue I am experiencing at a customer's site. I need to strip the domain part of the username that users are authenticating with.
Note: do NOT change the User-Name. It WILL break everything.
For example, a user will type in bob@example.com during authentication to the wireless network, but the username at the backend in the directory system is just 'bob'. I know that this is a common request of freeradius and I have tried to configure it in the conf files, but clearly I am not doing something correctly. I can't seem to get the 'Stripped-User-Name' to be used where I expect it.
The default configuration works. All you do is add "example.com" in proxy.conf as a LOCAL realm, and everything will just work.
sh-3.2# radiusd -X radiusd: FreeRADIUS Version 2.2.9, for host i386-apple-darwin13.0, built on
That's been EOL for many, many, years. I suggest moving to v3. Or at least 2.2.10.
Ready to process requests. rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=240, length=225 User-Name = "radiustest@example.co.uk"
Note: this is the full name.
EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
And EAP. The above line *also* contains the full user name.
Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0xcb3673c30e1a008614b794492d7bdc13 Proxy-State = 0x3230 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = " radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Proxying request from user radiustest to realm example.co.uk [suffix] Preparing to proxy authentication request to realm "example.co.uk" ++[suffix] = updated
That's all fine, except for the proxying bit.
[eap] Request is supposed to be proxied to Realm example.co.uk. Not doing EAP. ++[eap] = noop ++[files] = noop [opendirectory] The host 192.168.236.44 does not have an access group. [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL [opendirectory] Setting Auth-Type = opendirectory ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 175 to 127.0.0.1 port 1812 User-Name = "radiustest"
There's the issue. The User-Name shouldn't be mangled during proxying.
... Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 175 to 127.0.0.1 port 1812 ... Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=175, length=211 User-Name = "radiustest"
Uh... what? Why are is the server proxying the packet to itself? This isn't necessary. There's just no need to make the configuration this complex. Change the proxy.conf config to have: realm example.co.uk { } The server will treat "example.co.uk" as a local realm, and do authentication itself. It will work. Alan DeKok.
Hi Alan Thank you for your reply. I have made the change you suggested and (in my novice view) there now appears to be more progress than before. I completely appreciate that it's an old build, but it was included with an older version of macOS Server and I'm trying to get things working before I attempt to update anything. It relies on an Apple module 'opendirectory', which is responsible for querying the directory service running on the Mac server, and so I don't want to change anything yet until I can get things going. I certainly take your point on board though and will look to update to 2.2.10 as soon as possible. Here is the latest debug output after making the change you suggested. If I am interpreting this correctly, the 'radiustest@example.co.uk' username is being stripped and passed to the directory server during request 0: [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL but by the time it gets to request 6 it is using the full username rather than the portion before the @: [mschap] Creating challenge hash with username: radiustest@example.co.uk [mschap] Client is using MS-CHAPv2 for radiustest@example.co.uk, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Unable to find record radiustest@example.co.uk in OD [mschap] Authentication failed for radiustest@example.co.uk ++[mschap] = fail At this point the directory server is seeing a request for radiustest@example.co.uk and rejecting it because of course the username in that format does not exist. Do I need to change anything so that the mschap module is creating the challenge hash with 'radiustest' rather than 'radiustest@example.co.uk', or am I barking up the wrong tree? rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=139, length=238 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x2577b12b1827b2d1f2a6a2b4f41b74c5 Proxy-State = 0x3635 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 34 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [opendirectory] The host 192.168.236.45 does not have an access group. [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 139 to 192.168.236.45 port 1814 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa2d31bd8fb902e08f9c31ec3 Proxy-State = 0x3635 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=140, length=353 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0202008315800000007916030100740100007003015e1baa8d3cb0084332627d1fd466f39541f629dc3248b4d4771d23ad28bd3a1800002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x9e28ec7582c40e3e92a115082a8f054a Proxy-State = 0x3636 State = 0xa2d10e0fa2d31bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 131 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 121 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0074], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0665], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: SSLv3 read client certificate A [ttls] TLS_accept: Need to read more data: SSLv3 read client key exchange A [ttls] TLS_accept: Need to read more data: SSLv3 read client key exchange A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 140 to 192.168.236.45 port 1814 EAP-Message = 0x0103040015c0000008011603010039020000350301b48378abbf7494e069a915f1a572a970e6394437deb9b6fcfba966858aa4697900c01400000dff01000100000b00040300010216030106650b00066100065e00032c3082032830820210a003020102020101300b06092a864886f70d01010b302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b3009060355040613024742301e170d3134303832373132313431355a170d3334303832323132313431355a302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b300906035504061302474230820122300d06092a EAP-Message = 0x864886f70d01010105000382010f003082010a0282010100a77252a7791bb62f2b8123027ad8cbc388283bee0e334f72e1ca133ebc9b22b84e05b44db7056bcbe8cb4030ff756f91ae48ac7455c6b062c1009301e68847860ab9d642c6ad5990ee7edc417d7dedc3507246ab2ff72afd4160bbe9e0389b20d830082cf91439c344537294b34d78a485df9a8234fe82371c1e16d64cfcce85307216d6517061719f78192f576dd747d805bfa099ed386cbc0ad934b27b311d293aa72af0b7890038ab339df22f70d032ace28ab07d14306232a6a38cfa685afe8bff98f3bddc97cf4389aa0b5f6fa21f7386b72fd14a0879663b618acae7eca2ad59d1d8 EAP-Message = 0x5d927df217427226e7085981260b2f3c7d11bed5808be9333240c10203010001a3533051300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b0601050507030130270603551d110420301e8216706574657270616e2e676f73682e696e7465726e616c87040a285cfe300d06092a864886f70d01010b05000382010100407dcb7982c1ec5523ba0b0012255c1d9a11e749b64f2fc121c82529faa3a23fe0fdc53e13004e301fd589ed13f31ca5d63f7cbbce08e211774b6a7ed2b55eed07ab4814046390e8cb22cc47eddd4846c6a709379572875b93dc87a5fe6c54c9a04b6dff791669df38a076ddbd2e718d123fcec7 EAP-Message = 0xe5797635ce17913c9960ba6d82aa46e460bc0abe7384d06d5499d42939f2c72e706e8dbc9cac22dc315f5539af9662461f1f85a5dbd5a892f0ec10c3578ef8c1bf5d2d8150df94eb034146ec458654dd1740c1707f86bb4203a549b9d0d98ab19788238717c1140842ae944d4c2dc50ddf1d4adf6d61d932f892495a264a8b87629bb0a7d76f1b7187a2118200032c3082032830820210a003020102020101300b06092a864886f70d01010b302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b3009060355040613024742301e170d3134303832373132313431355a170d3334303832323132313431355a30 EAP-Message = 0x2e311f301d06035504030c16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa3d21bd8fb902e08f9c31ec3 Proxy-State = 0x3636 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=141, length=228 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020300061500 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0xe4c9628a13844ea439eb4d01e968ed8c Proxy-State = 0x3637 State = 0xa2d10e0fa3d21bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 141 to 192.168.236.45 port 1814 EAP-Message = 0x0104040015c000000801706574657270616e2e676f73682e696e7465726e616c310b300906035504061302474230820122300d06092a864886f70d01010105000382010f003082010a0282010100a77252a7791bb62f2b8123027ad8cbc388283bee0e334f72e1ca133ebc9b22b84e05b44db7056bcbe8cb4030ff756f91ae48ac7455c6b062c1009301e68847860ab9d642c6ad5990ee7edc417d7dedc3507246ab2ff72afd4160bbe9e0389b20d830082cf91439c344537294b34d78a485df9a8234fe82371c1e16d64cfcce85307216d6517061719f78192f576dd747d805bfa099ed386cbc0ad934b27b311d293aa72af0b7890038ab339df22f70 EAP-Message = 0xd032ace28ab07d14306232a6a38cfa685afe8bff98f3bddc97cf4389aa0b5f6fa21f7386b72fd14a0879663b618acae7eca2ad59d1d85d927df217427226e7085981260b2f3c7d11bed5808be9333240c10203010001a3533051300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b0601050507030130270603551d110420301e8216706574657270616e2e676f73682e696e7465726e616c87040a285cfe300d06092a864886f70d01010b05000382010100407dcb7982c1ec5523ba0b0012255c1d9a11e749b64f2fc121c82529faa3a23fe0fdc53e13004e301fd589ed13f31ca5d63f7cbbce08e211774b6a7ed2b5 EAP-Message = 0x5eed07ab4814046390e8cb22cc47eddd4846c6a709379572875b93dc87a5fe6c54c9a04b6dff791669df38a076ddbd2e718d123fcec7e5797635ce17913c9960ba6d82aa46e460bc0abe7384d06d5499d42939f2c72e706e8dbc9cac22dc315f5539af9662461f1f85a5dbd5a892f0ec10c3578ef8c1bf5d2d8150df94eb034146ec458654dd1740c1707f86bb4203a549b9d0d98ab19788238717c1140842ae944d4c2dc50ddf1d4adf6d61d932f892495a264a8b87629bb0a7d76f1b7187a21182160301014b0c00014703001741048d722a0b65270892e9bc75ac1f1878571255941d4b8abaed393150566d0825d54eaa1b976720593172fa05575d EAP-Message = 0x93e38a901481b6bf8c6b160cfa68e176d2b873010040ee1d51f30a3fbe39eb5378d2dc0922e18af5a76a55055036a18ecf84a8935a29f89c2b397a655bee4a613a6fdbc955890061dc2534b37a3d5d61a189f27dded1401addc29706f7abbdbb7e761d62a9a9a88411ac32061423a1660fb4db6fdf46ea2706778337476fe961a5cb0319284962c0d40397fc21e97cca94a6360540e51eb2137ebb4675c5cee9ef6473900a10d3a0a35e1dfab899237d996d40341df170cd8f10cc3b511eece77dea00ec3b779de982dec5d4cc664407ec59455e220d9a09438e870c413f4964eb05f043ac9acaa7937e8f7b448aed3123d2600bc471092aa7dafc2d32 EAP-Message = 0x6bc8be0bf5a6db8e5df2c928 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa0d51bd8fb902e08f9c31ec3 Proxy-State = 0x3637 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=142, length=228 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020400061500 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x5721d8a0eb68e0f1a13a0125c7c3a987 Proxy-State = 0x3639 State = 0xa2d10e0fa0d51bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 142 to 192.168.236.45 port 1814 EAP-Message = 0x0105001f1580000008014456b73978ff61a3af0ca4ba16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa1d41bd8fb902e08f9c31ec3 Proxy-State = 0x3639 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=143, length=366 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020500901580000000861603010046100000424104210a608054c8ddd857c4896c9107fbe88964d18caf4ad086cee42cda06ea5d685038f7ca5521bfa175227cca875345b6c9e0c6445a4e4f23d362eab64360d9e41403010001011603010030941a8535af0b548685d350fc4433c7ef5cad07647d29bd43f42191382861f4391c2f9198dfe9f4e8863ef7c875ce53a5 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x3038ce0ef15655a7fe33028aaa671617 Proxy-State = 0x3730 State = 0xa2d10e0fa1d41bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 134 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 143 to 192.168.236.45 port 1814 EAP-Message = 0x0106004515800000003b140301000101160301003002a2021500d744536bcfcf1b18ab41d9b3dbdeb95b34c6589d07ed092183aeb8f4ce37bcc6bd820084049674e9820ccb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa6d71bd8fb902e08f9c31ec3 Proxy-State = 0x3730 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=144, length=317 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0206005f158000000055170301005005b067f60adac124a184ecc57e6ecc32a8221bbb603ee5924bb79b3ff765334f5cc0c61e0bdd250711ce7888313e6aa003d960b2b9f6843f1a3a94e5e21b7421540dd7f1d2336dc9cbe0bbf664ca1a08 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x20dd42545594cfbe970274ddab52a1d6 Proxy-State = 0x3731 State = 0xa2d10e0fa6d71bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 95 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 85 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02000022017261646975737465737440676f73682e63616d64656e2e7363682e756b FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of radiustest@example.co.uk [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x02000022017261646975737465737440676f73682e63616d64656e2e7363682e756b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "radiustest@example.co.uk" server inner-tunnel { # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 0 length 34 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code Access-Challenge EAP-Message = 0x010100371a0101003210006815de0f512aa5e084a9c577c5aef27261646975737465737440676f73682e63616d64656e2e7363682e756b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d27f3ae6d26e9777944e6ecebb16dd4 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 144 to 192.168.236.45 port 1814 EAP-Message = 0x0107009415800000008a17030100201e23f0c8900a7e96509629eb6ee466d25f4ad0e738cf60f9715db3766bd3435a1703010060712a160f13ed9d92772dee8895efb7918e93bd920ee8204bc2d5c89a30a08551f9e4a480fcc024f50ca4d16cb7dd0cf5594e88ffcfe0415d46c1d79c317675af2fcc8a32a1eb0e1686adf3c006ed894e174e4eefb10dd7d158fcf8a2c9bb736a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa7d61bd8fb902e08f9c31ec3 Proxy-State = 0x3731 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=145, length=365 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0207008f1580000000851703010080271f7fdade241a0c58e453a885367d4a60ed1ff1569ac5ae6157a339509575b444fb0cd29369a63bc9b2c148cb3e9a8b8806c557ac9be0955c149262709898b4eff18819206df5f98590494f9c4ad8824d6d586540d365f00ab52f6c82604a4f8e4188ca3733a3fbfe70121824006bdd47a2fed015d775560c16e6c8e39de6a2 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0xb5e0114d038530bdd5213c43186c635c Proxy-State = 0x3732 State = 0xa2d10e0fa7d61bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 143 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 133 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x020100581a0201005331a8ee034419131e7f9fddd19a5a0ba426000000000000000077e94ca004cea6e84942642ad7a244ac8bba9b32193bbfd1007261646975737465737440676f73682e63616d64656e2e7363682e756b FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x020100581a0201005331a8ee034419131e7f9fddd19a5a0ba426000000000000000077e94ca004cea6e84942642ad7a244ac8bba9b32193bbfd1007261646975737465737440676f73682e63616d64656e2e7363682e756b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "radiustest@example.co.uk" State = 0x6d27f3ae6d26e9777944e6ecebb16dd4 server inner-tunnel { # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 1 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: radiustest@example.co.uk [mschap] Client is using MS-CHAPv2 for radiustest@example.co.uk, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Unable to find record radiustest@example.co.uk in OD [mschap] Authentication failed for radiustest@example.co.uk ++[mschap] = fail +} # group MS-CHAP = fail [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Login incorrect: [radiustest@example.co.uk/<via Auth-Type = EAP>] (from client clearpass port 0 via TLS tunnel) Using Post-Auth-Type Reject # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> radiustest@example.co.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [ttls] Got tunneled reply code Access-Reject MS-CHAP-Error = "\001E=691 R=1" EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user radiustest@example.co.uk [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [radiustest@example.co.uk/<via Auth-Type = EAP>] (from client clearpass port 0 cli 109ADDC49B75) Using Post-Auth-Type Reject # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group REJECT { ++? if ("%{EAP-Message}") expand: %{EAP-Message} -> 0x0207008f1580000000851703010080271f7fdade241a0c58e453a885367d4a60ed1ff1569ac5ae6157a339509575b444fb0cd29369a63bc9b2c148cb3e9a8b8806c557ac9be0955c149262709898b4eff18819206df5f98590494f9c4ad8824d6d586540d365f00ab52f6c82604a4f8e4188ca3733a3fbfe70121824006bdd47a2fed015d775560c16e6c8e39de6a2 ? Evaluating ("%{EAP-Message}") -> TRUE ++? if ("%{EAP-Message}") -> TRUE ++if ("%{EAP-Message}") { +++update reply { expand: %{Message-Authenticator} -> 0xb5e0114d038530bdd5213c43186c635c +++} # update reply = noop ++} # if ("%{EAP-Message}") = noop [attr_filter.access_reject] expand: %{User-Name} -> radiustest@example.co.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 145 to 192.168.236.45 port 1814 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3732 Waking up in 3.8 seconds. Thank you Stuart -- Crossover Solutions Ltd Pound House, 62A Highgate High Street, London, N6 5HX www.crossover.solutions <http://crossover.solutions> • 020 3637 4655 Registered in England and Wales No: 9593204 Registered address as stated Members of the Apple Consultants Network <https://consultants.apple.com/uk/988258> Please submit new support requests to support@crossover.solutions <mailto:support@crossover.solutions>
On Jan 12, 2020, at 6:42 PM, Stuart Ramdeen <stuart@crossover.solutions> wrote:
Thank you for your reply. I have made the change you suggested and (in my novice view) there now appears to be more progress than before.
That's good, but...
I completely appreciate that it's an old build, but it was included with an older version of macOS Server and I'm trying to get things working before I attempt to update anything. It relies on an Apple module 'opendirectory', which is responsible for querying the directory service running on the Mac server, and so I don't want to change anything yet until I can get things going. I certainly take your point on board though and will look to update to 2.2.10 as soon as possible.
OK.
Here is the latest debug output after making the change you suggested. If I am interpreting this correctly, the 'radiustest@example.co.uk' username is being stripped and passed to the directory server during request 0:
The User-Name is used to create a Stripped-User-Name attribute. The User-Name is *not* edited. This is important. Also, the "opendirectory" module is looking at Stripped-User-Name for user lookups. This is fine.
[opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL
but by the time it gets to request 6 it is using the full username rather than the portion before the @:
[mschap] Creating challenge hash with username: radiustest@example.co.uk [mschap] Client is using MS-CHAPv2 for radiustest@example.co.uk, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Unable to find record radiustest@example.co.uk in OD [mschap] Authentication failed for radiustest@example.co.uk ++[mschap] = fail
Yes. "radiustest@example.co.uk" doesn't exist in OD. However, you should know that the MS-CHAP calculations are done on the full User-Name that is passed to FreeRADIUS. You *cannot* pass just a portion of the User-Name to OpenDirectory and expect the MS-CHAP calculations to work. They won't.
At this point the directory server is seeing a request for radiustest@example.co.uk and rejecting it because of course the username in that format does not exist. Do I need to change anything so that the mschap module is creating the challenge hash with 'radiustest' rather than 'radiustest@example.co.uk', or am I barking up the wrong tree?
What you want to do is impossible. OpenDirectory won't give FreeRADIUS the users password, so that FreeRADIUS can do the MS-CHAP calculations. OpenDirectory won't automatically look up just the "radiustest" portion of the users name, BUT use the whole "radiustest@example.co.uk" for the MS-CHAP calculations. Your options are: a) do PEAP with plain usernames, i.e. "radiustest" and not "radiustest@example.co.uk" b) put the users password into a database that FreeRADIUS can read. Alan DeKok.
Hi Alan Thanks for confirming that what we're trying to do just isn't possible. I think I'm going to look into adding an alias to every user in the directory that contains the username formatted as an email address so that OD is able to successfully authenticate the user and the MS-CHAP calculations complete successfully. Best wishes, Stuart On Sun, 12 Jan 2020 at 23:56, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 12, 2020, at 6:42 PM, Stuart Ramdeen <stuart@crossover.solutions> wrote:
Thank you for your reply. I have made the change you suggested and (in my novice view) there now appears to be more progress than before.
That's good, but...
I completely appreciate that it's an old build, but it was included with an older version of macOS Server and I'm trying to get things working before I attempt to update anything. It relies on an Apple module 'opendirectory', which is responsible for querying the directory service running on the Mac server, and so I don't want to change anything yet until I can get things going. I certainly take your point on board though and will look to update to 2.2.10 as soon as possible.
OK.
Here is the latest debug output after making the change you suggested. If I am interpreting this correctly, the 'radiustest@example.co.uk' username is being stripped and passed to the directory server during request 0:
The User-Name is used to create a Stripped-User-Name attribute. The User-Name is *not* edited. This is important.
Also, the "opendirectory" module is looking at Stripped-User-Name for user lookups. This is fine.
[opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL
but by the time it gets to request 6 it is using the full username rather than the portion before the @:
[mschap] Creating challenge hash with username: radiustest@example.co.uk [mschap] Client is using MS-CHAPv2 for radiustest@example.co.uk, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Unable to find record radiustest@example.co.uk in OD [mschap] Authentication failed for radiustest@example.co.uk ++[mschap] = fail
Yes. "radiustest@example.co.uk" doesn't exist in OD.
However, you should know that the MS-CHAP calculations are done on the full User-Name that is passed to FreeRADIUS. You *cannot* pass just a portion of the User-Name to OpenDirectory and expect the MS-CHAP calculations to work. They won't.
At this point the directory server is seeing a request for radiustest@example.co.uk and rejecting it because of course the username in that format does not exist. Do I need to change anything so that the mschap module is creating the challenge hash with 'radiustest' rather than 'radiustest@example.co.uk', or am I barking up the wrong tree?
What you want to do is impossible.
OpenDirectory won't give FreeRADIUS the users password, so that FreeRADIUS can do the MS-CHAP calculations.
OpenDirectory won't automatically look up just the "radiustest" portion of the users name, BUT use the whole "radiustest@example.co.uk" for the MS-CHAP calculations.
Your options are:
a) do PEAP with plain usernames, i.e. "radiustest" and not " radiustest@example.co.uk"
b) put the users password into a database that FreeRADIUS can read.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Crossover Solutions Ltd Pound House, 62A Highgate High Street, London, N6 5HX www.crossover.solutions <http://crossover.solutions> • 020 3637 4655 Registered in England and Wales No: 9593204 Registered address as stated Members of the Apple Consultants Network <https://consultants.apple.com/uk/988258> Please submit new support requests to support@crossover.solutions <mailto:support@crossover.solutions>
On Jan 14, 2020, at 4:59 PM, Stuart Ramdeen <stuart@crossover.solutions> wrote:
Hi Alan
Thanks for confirming that what we're trying to do just isn't possible. I think I'm going to look into adding an alias to every user in the directory that contains the username formatted as an email address so that OD is able to successfully authenticate the user and the MS-CHAP calculations complete successfully.
That's the best approach. Alan DeKok.
participants (2)
-
Alan DeKok -
Stuart Ramdeen