Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap: ERROR: (null): status = eServerError

Eric Wittle eric at wittle.net
Wed Dec 5 14:36:55 CET 2018 

Responding to Matthew (I subscribed with digest enabled, so replying to specific emails is a challenge. Mistake on my part).

Revised section of code is:

	if (status == eDSNoErr) {
          RDEBUG2("ELW: status == eDSNoErr\n");
		if (pStepBuff->fBufferLength > 4) {
                  RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
			uint32_t len;

                        memcpy(&len, pStepBuff->fBufferData, sizeof(len));
                        RDEBUG2("ELW: sizeof(len) = %lu\n", sizeof(len));
                        RDEBUG2("ELW: value of len is %lu\n", len);
                        if (len == 40) {
                          RDEBUG2("ELW: Inside len == 40\n");
                                char mschap_reply[42] = { '\0' };
                                pStepBuff->fBufferData[len+4] = '\0';
                                mschap_reply[0] = 'S';
                                mschap_reply[1] = '=';
				memcpy(&(mschap_reply[2]), &(pStepBuff->fBufferData[4]), len);
				RDEBUG2("About to mschap_add_reply with %s\n", mschap_reply);
                                mschap_add_reply(request, &request->reply->vps,
                                                 *response->vp_strvalue,
                                                 "MS-CHAP2-Success",
                                                 mschap_reply, len+2);
                                RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%zu)\n", mschap_reply, len);

That gets me a bit farther (inside the len == 40 check), but then I get a seg fault in the call to mschap_add_reply:

Ready to process requests
(0) Received Access-Request Id 62 from 192.168.1.1:44978 to 192.168.1.2:1812 length 132
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   User-Name = "eric"
(0)   MS-CHAP-Challenge = 0x574ca5b59a8e344553b717024fa20962
(0)   MS-CHAP2-Response = 0x3b0091c88b94ecc81c10752a252fd386ca2b0000000000000000a394fdc9ca017ded44b770f4d01a535f3fe7fee7a1f6df4c
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181205
(0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181205
(0) auth_log: EXPAND %t
(0) auth_log:    --> Wed Dec  5 08:30:37 2018
(0)     [auth_log] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "eric", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0)     [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0)     [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql:    --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0)     [sql] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4) 
(0) mschap:   Stepbuf server challenge : 
574cffffffa5ffffffb5ffffff9affffff8e344553ffffffb717024fffffffa20962
(0) mschap:   Stepbuf peer challenge   : 
ffffff91ffffffc8ffffff8bffffff94ffffffecffffffc81c10752a252fffffffd3ffffff86ffffffca2b
(0) mschap:   Stepbuf p24              : 
ffffffa3ffffff94fffffffdffffffc9ffffffca017dffffffed44ffffffb770fffffff4ffffffd01a535f3fffffffe7fffffffeffffffe7ffffffa1fffffff6ffffffdf4c
(0) mschap: ELW: status == eDSNoErr 
(0) mschap: ELW: pStepBuff->fBufferLength > 4 
(0) mschap: ELW: sizeof(len) = 4 
(0) mschap: ELW: value of len is 40 
(0) mschap: ELW: Inside len == 40 
(0) mschap: About to mschap_add_reply with S=B523E9A9A2F00BF04246DD46E1C3BDC1E7F0CA3F???? 
Segmentation fault: 11



Matthew wrote:

On Tue, 2018-12-04 at 22:16 -0500, Eric Wittle wrote:
>                if (pStepBuff->fBufferLength > 4) {
>                  RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
>                        size_t len;


I suspect changing that from uint32_t to size_t has had the unintended
consequences of making it a 64-bit integer on your platform, which
breaks the (len == 40) comparison.

Try changing "size_t len" to "uint32_t len" and see if that fixes it.


> (0) mschap: ELW: len == 3978992058181353512 

The lower 32 bits of this value are "40"... the rest is junk.

-- 
Matthew

More information about the Freeradius-Users mailing list