Unable to authenticate to 10.5.4 open directory

Thomas von Eyben thomasvoneyben at gmail.com
Tue Sep 2 11:50:24 CEST 2008


2008/9/2 Ivan Kalik <tnt at kalik.net>:
> You are using outdated version of the server which doesn't support
> virtual servers. In current version eap is processed by the default
> virtual server while inner tunnel is processed by - inner-tunnel virtual
> server. If you don't want to upgrade you can emulate this by using -
> real ones.
>
> Set up another radius server with identical configuration which will
> process inner tunnel requests. Add realm inner-tunnel to the current
> server proxy.conf which will proxy requests to the new server. Add this
> to users file:
>
> DEFAULT   FreeRADIUS-Proxied-To = 127.0.0.1, Proxy-To-Realm :=
> "inner-tunnel"
>
> In that way stripped username will be sent to inner-tunnel server for
> authentication (which you have showed to work). You can't simply
> rewrite User-Name with Stripped-User-Name in your current setup because
> EAP will fail.
>
> Ivan Kalik
> Kalik Informatika ISP


Thank you for the detailed analysis and explanation.
For now I think I'll stick with the Apple supplied version of radiusd
- perhaps Mac OS X Server 10.5.5 will include a newer radiusd(!)
- When Apple (or I) updates to the current version of radiusd, will my
current configuration then work as expected or how will I need to
alter the configuration?

This morning I found an acceptable workaround that I will stick to for
the moment:
That is to create an alias for the user in the Open Directory. The
user "u1" is now also known as "u1 at voneyben.net" hence it will be
authenticated ;-).
I "only" need to alter a few houndred users (need to make a script i
guess :), but I'll get a "cleaner" setup by only being dependant upon
_one_ server for the radius authentication.

Thank you again for you anlysis!

- TvE



More information about the Freeradius-Users mailing list