MSCHAPv2 fails to authenticate against OpenDirectory with error 5100 (0x13ec)
Jason Healy
jhealy at logn.net
Sat Jun 13 03:34:03 CEST 2015
We’re an all-Apple campus and we currently use OpenDirectory as our central auth system. This includes being the backend for our wireless auth using EAP-PEAP/MSCHAPv2. Our system does work, so this is possible.
One thing that we tried, failed, and gave up on was building a modern FR build to talk directly to OpenDirectory. There was too much secret sauce, and we’ve found that messing with the Apple servers too much causes weirdness and/or failures that are difficult to diagnose or get help with.
We ended up building a modern FR on Linux and then proxying all requests to the Apple-supplied FR server running on the OpenDirectory machine. This let us change all the FR configuration we wanted to (on the linux box) and left the Apple box as stock as possible. You just need to add a client definition on the Apple server using their ‘radiusconfig’ tool:
sudo radiusconfig -addclient <ipaddr of parodying box> <short name of parodying box> other
In terms of your MSCHAP error, that does still sound a little odd. Older versions of OD (pre 10.7?) used to have configuration options for which recoverable hashes you wanted to store your passwords with. If you didn’t check the MSCHAP box, then you couldn’t do that form of auth. However, recent builds no longer have this option, so I’m guessing that OD stores passwords in a recoverable form by default. Again, our stock build does allow MSCHAP authentication, so I’m not sure why you’d get that error.
Do you have another OD server you can spin up to test a clean install? Our experience (4 different OpenDirectory servers) has been that you just add the radius client and authentication “just works” for PEAP/MSCHAPv2.
Jason
More information about the Freeradius-Users
mailing list