FreeRADIUS 3.0.12 + openLDAP + Apple access point?

Tobias Balle-Petersen tobiasbp at gmail.com
Wed Dec 6 14:20:06 CET 2017 

Hello...

At the dawn of time, I set up a FreeRADIUS 2.x server with an openLDAP
backend for use with my Apple access points. This has worked for years.

I am now trying to make the same confuguration with FreeRADIUS 3.0.12 in a
FreeBSD jail. Unfortunately, I can not make it work.

Testing pap works:
radtest -x -t pap ....

Testing mschap works:
radtest -x -t mschap ....

I have NTpasswords in my ldap-database, and FreeRADIUS picks them up.

I just don't unerstand why access is not beeing granted by the access
points.

I have pasted the lengthy log of a failed attempt here:
https://pastebin.com/CLqegYRe

It looks to me like this is where it goes wrong:
...
...
(18) files:   Performing search in
"dc=services,o=kontrapunkt,dc=example,dc=com" with filter
"(&(cn=kp-vpn-cph)(objectC"
(18) files:   Waiting for search result...
(18) files: User found in group object
"dc=services,o=kontrapunkt,dc=example,dc=com"
rlm_ldap (ldap): Released connection (4)
(18) files: users: Matched entry DEFAULT at line 63
(18)       [files] = ok
rlm_ldap (ldap): Reserved connection (0)
(18) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(18) ldap:    --> (uid=bj)
(18) ldap: Performing search in "o=kontrapunkt,dc=example,dc=com" with
filter "(uid=bj)", scope "sub"
(18) ldap: Waiting for search result...
(18) ldap: User object found at DN
"uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
(18) ldap: Processing user attributes
(18) ldap: control:Password-With-Header += '{CRYPT}$*****'
(18) ldap: control:NT-Password :=
0x3437413634423334324442384133314330313831413644453134393237413931
rlm_ldap (ldap): Released connection (0)
(18)       [ldap] = updated
(18)       [expiration] = noop
(18)       [logintime] = noop
(18) pap: Converted: &control:Password-With-Header ->
&control:Crypt-Password
(18) pap: Removing &control:Password-With-Header
(18) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(18) pap: WARNING: Auth-Type already set.  Not setting to PAP
(18)       [pap] = noop
(18)     } # authorize = updated
(18)   Found Auth-Type = Reject
(18)   Auth-Type = Reject, rejecting user
(18)   Failed to authenticate the user
(18)   Using Post-Auth-Type Reject
(18)   # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(18)     Post-Auth-Type REJECT {
(18) attr_filter.access_reject: EXPAND %{User-Name}
(18) attr_filter.access_reject:    --> bj
(18) attr_filter.access_reject: Matched entry DEFAULT at line 11
(18)       [attr_filter.access_reject] = updated
(18)       update outer.session-state {
(18)         No attributes updated
(18)       } # update outer.session-state = noop
(18)     } # Post-Auth-Type REJECT = updated
(18) } # server inner-tunnel
(18) Virtual server sending reply
...
...


Thank you,
Tobias

More information about the Freeradius-Users mailing list