MSCHAPv2 fails to authenticate against OpenDirectory with error 5100 (0x13ec)

Alan Egerton eggyal at gmail.com
Sat Jun 13 16:59:23 CEST 2015


Actually I resolved the MS-CHAP error: the method was not enabled in our OD
Password Server (perhaps this is now the default in Server v4, since we
have no record of having disabled it).

Enabling the method simply involved adding it the
dsAttrTypeNative:apple-enabled-auth-mech attribute in
the /config/dirserv OD record (and then changing user passwords in order to
generate appropriate hashes).  The Apple FR build is now working fine.

Best,
-- Alan



On Saturday, 13 June 2015, Arran Cudbard-Bell <a.cudbardb at freeradius.org>
wrote:

>
> > On 12 Jun 2015, at 21:34, Jason Healy <jhealy at logn.net <javascript:;>>
> wrote:
> >
> > We’re an all-Apple campus and we currently use OpenDirectory as our
> central auth system.  This includes being the backend for our wireless auth
> using EAP-PEAP/MSCHAPv2.  Our system does work, so this is possible.
> >
> > One thing that we tried, failed, and gave up on was building a modern FR
> build to talk directly to OpenDirectory.  There was too much secret sauce,
> and we’ve found that messing with the Apple servers too much causes
> weirdness and/or failures that are difficult to diagnose or get help with.
> >
> > We ended up building a modern FR on Linux and then proxying all requests
> to the Apple-supplied FR server running on the OpenDirectory machine.  This
> let us change all the FR configuration we wanted to (on the linux box) and
> left the Apple box as stock as possible.  You just need to add a client
> definition on the Apple server using their ‘radiusconfig’ tool:
> >
> >  sudo radiusconfig -addclient <ipaddr of parodying box> <short name of
> parodying box> other
> >
> > In terms of your MSCHAP error, that does still sound a little odd.
> Older versions of OD (pre 10.7?) used to have configuration options for
> which recoverable hashes you wanted to store your passwords with.  If you
> didn’t check the MSCHAP box, then you couldn’t do that form of auth.
> However, recent builds no longer have this option, so I’m guessing that OD
> stores passwords in a recoverable form by default.  Again, our stock build
> does allow MSCHAP authentication, so I’m not sure why you’d get that error.
> >
> > Do you have another OD server you can spin up to test a clean install?
> Our experience (4 different OpenDirectory servers) has been that you just
> add the radius client and authentication “just works” for PEAP/MSCHAPv2.
>
> There's code sitting in a branch off of a very old version of v2, which
> seems to deal explicitly with NTLM against Open Directory. It uses a newer
> framework than the existing rlm_opendirectory.
>
> Apple contributed it back in 2011, but there was never significant
> interest in getting it merged.
>
> If someone is able to test (I can port it into v3.1.x), it would be nice
> to be able to authenticate against modern open directory servers.
>
>
> https://github.com/FreeRADIUS/freeradius-server/commit/6040566cfa969da1bce085ee48b4cd3e433e87d8#diff-ff5083ad3697e3a4d1927248c1a2a090R129
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org <javascript:;>>
> FreeRADIUS development team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>

-- 
-- Alan


More information about the Freeradius-Users mailing list