OpenDirectory Authentication fails with eap but works with pap

Ashley Drees adrees at c-r.org
Sat Feb 22 18:27:15 CET 2020


I have recently had to migrate my FreeRADIUS from one sick OpenDirectory
server to a "fresh" one.  FreeRadius was hard crashing whenever it got an
eap authentication request on the "sick" server, on the newly promoted
server it runs without crashing.

the config checks out with XC and running as X works as expected.

when I use (from a remote machine)

radtest -x -t pap radiustest 2020Password 192.168.9.23  0 testing123

I get

Received Access-Accept Id 139 from 192.168.9.23:1812 to 0.0.0.0:0 length 20

from the debug:-

suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "radiustest", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: No EAP-Message, not doing EAP
(3)     [eap] = noop
(3)     [files] = noop
(3) opendirectory: The SACL group "com.apple.access_radius" does not exist
on this system.
(3) opendirectory: The host 192.168.9.9 does not have an access group.
(3) opendirectory: no access control groups, all users allowed
(3) opendirectory: Setting Auth-Type = opendirectory
(3)     [opendirectory] = ok
(3)     [expiration] = noop
(3)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(3)     [pap] = noop
(3)   } # authorize = ok

so with pap it seems to talk to OD nicely.. however...

if i try and authenticate with the same id trying to auth for WiFI (unifi
access points) i get a fail and the offending stanza in the debug is

(11) eap_mschapv2:   authenticate {
(11) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password
(11) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(11) mschap: OD username_string = radiustest, OD shortUserName= (length = 0)
(11) mschap:   Stepbuf server challenge :
7972ffffffca6a52ffffffeb695bffffff87fffffffd46ffffffa4ffffffef18ffffffc9ffffffa0
(11) mschap:   Stepbuf peer challenge   :
37ffffffa043ffffffcdffffffe62503fffffffeffffffdf6f5cffffffd849ffffffb4ffffff8dffffffd2
(11) mschap:   Stepbuf p24              :
ffffffcdffffffc2ffffffd727472866ffffffd0fffffffe2fffffffa8263e5bffffffc150ffffff997fffffff90ffffffbbffffffb13dffffffeeffffff86
(11) mschap: ERROR: rlm_mschap: authentication failed - status =
eUndefinedError

I am a bit stuck with this, I am unsure why pap it works and it fails with
eap.

I did not fill this post with random logs, but if you have any ideas I can
capture logs/configs etc as needed.

Thanks in advance.

I did have this working on the previous OD master, but a security update
seemed to stop it working hence my migration efforts, I have followed the
same "migration" document from Apple, but to be honest, after several days
messing around I am just about ready to run up a VM and put FreeNAS into an
Ubuntu box (if only I could be sure it would get its auth from OD)

Ash

-- 


-- 
****Conciliation Resources | ****www.c-r.org <http://www.c-r.org/> 

**********Burghley Yard, 106 Burghley Road, London NW5 1AL  UK


*Why does 
inclusion matter for peace? Download our Accord 
<https://www.c-r.org/accord/inclusion-peace-processes> and explore our 
infographic 
<https://www.c-r.org/news-and-views/news/infographic-inclusion-why-does-it-matter-peace> 
to find out.*


Sign up <http://www.c-r.org/newsletter/subscribe> to our 
e-newsletter. 


See our latest updates on Twitter @CRbuildpeace 
<https://twitter.com/crbuildpeace> and _Facebook 
<https://www.facebook.com/ConciliationResources>*.*_




***Charity 
registered in England and Wales (1055436). Company limited by guarantee 
registered in England and Wales (03196482)
***







-- 
*****
**********This email is intended only for the named addressee(s) and 
may contain confidential and/or privileged material. If you have received 
this email in error, please notify Conciliation Resources immediately by 
emailing cr at c-r.org <mailto:cr at c-r.org> and delete the message.



*
*



*

***

**
*******

*





*


More information about the Freeradius-Users mailing list