Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle eric at wittle.net
Tue Dec 4 04:51:42 CET 2018 

And making some progress. In the sites-enabled/default file, added the following to the post-auth section:

       # ELW - Attempting to add the missing attribute I need
        update reply {
               MS-CHAP2-Success := "%{MS-CHAP2-Response}"
        }

Now reply detail looks like:

Mon Dec  3 22:41:33 2018
	Packet-Type = Access-Accept
	Framed-Protocol = PPP
	Framed-Compression = Van-Jacobson-TCP-IP
	MS-CHAP2-Success = 0x9d0043abe40ba2b954250b42c69a1409c1c100000000000000003f4600c8a3b9759e82a9a982364d69b51d2cf6c260d33db5
	Timestamp = 1543894893

And the messages file on the EdgeRouter says the following for an authentication request:

Dec  4 03:41:30 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 55099.  Local: 60667, Remote: 47 (ref=0/0).  LNS session is 'default'
Dec  4 03:41:30 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 7504, Local: 28750, Remote: 8210, Serial: 1
Dec  4 03:41:30 ubnt pppd[7504]: pppd 2.4.4 started by root, uid 0
Dec  4 03:41:30 ubnt pppd[7504]: Connect: ppp0 <--> 
Dec  4 03:41:33 ubnt pppd[7504]: RADIUS: bad MS-CHAP2-Success packet
Dec  4 03:41:33 ubnt pppd[7504]: Peer eric failed CHAP authentication
Dec  4 03:41:39 ubnt pppd[7504]: Connection terminated: no multilink.
Dec  4 03:41:39 ubnt pppd[7504]: Modem hangup

So it is clearly looking at the MS-CHAP2-Success attribute, but I’m not getting the right value for this. Any idea where I would get this from?

I’ve tried to walk through the 2.2.10 configuration looking for where this comes from, with no luck.

-Eric


> On Dec 3, 2018, at 10:08 PM, Eric Wittle <eric at wittle.net> wrote:
> 
> OK, I cut out the history on this thread, because I think I’ve narrowed it down. I enabled detail reply logging on both the 2.2.10 install that is working, and the 3.0.17 one that is not. The first response below is from 3.0.17, and the VPN software logs that as a CHAP authentication failure. The second response below is from the 2.2.10 version. I’m guessing at this point (but I have a forum post open on Ubiquiti to confirm) that the missing MS-CHAP2-Success value is the problem.
> 
> Mon Dec  3 21:44:12 2018
>         Packet-Type = Access-Accept
>         Framed-Protocol = PPP
>         Framed-Compression = Van-Jacobson-TCP-IP
>         Timestamp = 1543891452
> 
> Mon Dec  3 21:56:04 2018
>         Packet-Type = Access-Accept
>         Framed-Protocol = PPP
>         Framed-Compression = Van-Jacobson-TCP-IP
>         MS-CHAP2-Success = 0x31533d31413533414644303142413034324443374639313444384245423634373131433634363642463830
> 
> Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value?
> 
> Thanks,
> 
> -Eric
> 
> 
> 
> 
>

More information about the Freeradius-Users mailing list