FreeRadius and MacOsx (LDAP vs Kerberos)

Massimiliano Tommasi m.tommasi at
Wed Jul 27 17:03:06 CEST 2011

I got the first step..., FreeRadius and OpenDirectory are "speaking" the
same language BUT I'm not able to authenticate the users...

On the client side I have a function to get the chap and on the server
side I don't save the password in hashing manner (i guess) ...

When I try to auth, this is the output:
rad_recv: Access-Request packet from host port 55684,
id=4, length=234
	Vendor-14559-Attr-8 = 0x312e322e33
	User-Name = "root"
	CHAP-Challenge = 0x0edd76439301b38946e175305f4f951f
	CHAP-Password = 0x0009043c756f718e348b26b5300f0e10ab
	Service-Type = Login-User
	Acct-Session-Id = "4e30263e00000001"
	Framed-IP-Address =
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	NAS-Port-Id = "00000001"
	Calling-Station-Id = "00-23-DF-8E-F7-7A"
	Called-Station-Id = "00-60-E0-E0-A4-D4"
	NAS-IP-Address =
	NAS-Identifier = "kenny"
	WISPr-Logoff-URL = ""
	Message-Authenticator = 0x02107a4aa5448c95bcb1c66989947389
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "root", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[unix] returns updated
++[files] returns noop
rlm_opendirectory: The SACL group "" does not
exist on this system.
rlm_opendirectory: The host does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
++[opendirectory] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "root" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> root
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host port 55684,
id=4, length=234
Waiting to send Access-Reject to client lan port 55684 - ID: 4
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 4 to port 55684
Waking up in 4.9 seconds.
Cleaning up request 10 ID 4 with timestamp +1898
Ready to process requests.

I have some doubt on the Apple side.., is the server asking for clear
password on the apple side?

I hope you can help me, one more time.


Il 27/07/11 14.54, Alan DeKok ha scritto:
> Massimiliano Tommasi wrote:
>> You are pretty right ;)
>> I have just recompiled freeradius with that module, which I need...
>> It seems to be what I need but ... I notice a lack of documentation for
>> that module..
>> I have found nothing at all :(
>> Could you suggest me some doc or/and example of the conf, please?
>   I said:
>>>   Just list "opendirectory" in the "authorize" and "authenticate" sections.
>   That's it.
>   It's that simple.  It doesn't need more documentation.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

:: P u r p l e   s r l
:: security and network
:: via Vittorio Veneto 8/B :: i-20091 Bresso - Milano
:: web:

:: Massimiliano Tommasi
:: email: m.tommasi at
:: phone: +39 02 36687280 :: fax: +39 02 700511249

More information about the Freeradius-Users mailing list