MSCHAPv2 fails to authenticate against OpenDirectory with error 5100 (0x13ec)

Alan DeKok aland at deployingradius.com
Wed Jun 10 19:00:19 CEST 2015 

On Jun 10, 2015, at 12:15 PM, Alan Egerton <eggyal at gmail.com> wrote:

> On Wed, Jun 10, 2015 at 1:49 PM, Alan DeKok <aland at deployingradius.com> wrote:
>>  I suggest trying to install 3.0.8.  We've put more messages into the module which *should* help track down exactly what's going wrong.
> 
> Okay, to attempt with 3.0.8 I did the following:
> 
> 1.   Downloaded and extracted
> ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.8.tar.gz
> 
> 2.   Reversed the logic on line 363 of
> src/modules/rlm_opendirectory/rlm_opendirectory.c: rad_getgid() is
> defined in lines 1419 to 1437 of src/main/util.c, and clearly returns
> 0 on success rather than error—this file appears to assume the
> reverse, and was leading to erroneous claims that the SACL did not
> exist.

  I've pushed a fix for that.

> 3.   ./configure --with-experimental-modules
> 
> 4.   Added "#define WITH_OPEN_DIRECTORY 1" to
> src/modules/rlm_mschap/config.h (there doesn't appear to be a
> configure option for it).

  I've pushed a fix for that.

> But I now see the following error:
> 
> (8) eap_mschapv2:   Auth-Type MS-CHAP {
> (8) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password
> (8) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> LM-Password
> (8) mschap: No NT-Password configured. Trying OpenDirectory Authentication
> (8) mschap: OD username_string = testuser, OD shortUserName=testuser
> (length = 8)
> rlm_mschap: authentication failed -14091

  I've pushed a slight fix for that.  It now prints a bit better name for the error.

> (8)     [mschap] = reject
> (8)   } # Auth-Type MS-CHAP = reject
> 
> 
> I don't know whether this is the same problem as that which I was
> previously experiencing under v2.2.0 (the error code is obviously
> different), but in any event this error is no more meaningful to me
> than before... so I'm just as stuck!

  From looking around the net... the error seems to be that the passwords are not stored in clear-text.  So OpenDirectory can't do MS-CHAP authentication.

  Honestly, the best approach is to use OpenDirectory as an LDAP server.  Ignore the OpenDirectory API.  Just let FreeRADIUS grab the password from LDAP, and then use that to authenticate.

  Alan DeKok.

More information about the Freeradius-Users mailing list