Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Alan DeKok aland at deployingradius.com
Tue Dec 4 13:35:33 CET 2018 

On Dec 3, 2018, at 10:51 PM, Eric Wittle <eric at wittle.net> wrote:
> 
> And making some progress. In the sites-enabled/default file, added the following to the post-auth section:
> 
>       # ELW - Attempting to add the missing attribute I need
>        update reply {
>               MS-CHAP2-Success := "%{MS-CHAP2-Response}"
>        }

   Don't do that.  You can't just invent things and expect them to work.

> Now reply detail looks like:
> 
> Mon Dec  3 22:41:33 2018
> 	Packet-Type = Access-Accept
> 	Framed-Protocol = PPP
> 	Framed-Compression = Van-Jacobson-TCP-IP
> 	MS-CHAP2-Success = 0x9d0043abe40ba2b954250b42c69a1409c1c100000000000000003f4600c8a3b9759e82a9a982364d69b51d2cf6c260d33db5
> 	Timestamp = 1543894893

  And don't look at that, either.  All of the documentation, etc. says to look at the debug output.

> And the messages file on the EdgeRouter says the following for an authentication request:
> 
> Dec  4 03:41:30 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 55099.  Local: 60667, Remote: 47 (ref=0/0).  LNS session is 'default'
> Dec  4 03:41:30 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 7504, Local: 28750, Remote: 8210, Serial: 1
> Dec  4 03:41:30 ubnt pppd[7504]: pppd 2.4.4 started by root, uid 0
> Dec  4 03:41:30 ubnt pppd[7504]: Connect: ppp0 <--> 
> Dec  4 03:41:33 ubnt pppd[7504]: RADIUS: bad MS-CHAP2-Success packet
> Dec  4 03:41:33 ubnt pppd[7504]: Peer eric failed CHAP authentication
> Dec  4 03:41:39 ubnt pppd[7504]: Connection terminated: no multilink.
> Dec  4 03:41:39 ubnt pppd[7504]: Modem hangup

  And don't look at that, either.  If FreeRADIUS isn't configured correctly, then it won't help to look at the NAS logs.

> So it is clearly looking at the MS-CHAP2-Success attribute, but I’m not getting the right value for this. Any idea where I would get this from?

  You get it from a successful authentication.  The MSCHAP module calculates it automatically.

  The short summary is to try to get this working:

a) without using OpenDirectory, but using a static / test password

b) with OpenDirectory, but using radtest to send MS-CHAP packets.

  i.e. skip the NAS entirely.  Just use RADIUS test tools, and look at the RADIUS debug messages.

  Maybe there's a problem with the OpenDirectory integration in v3.  I don't think so, because others use it, and Apple has instructions for using it.  So it should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list