OpenDirectory Authentication fails with eap but works with pap

[Alan DeKok]

On Feb 22, 2020, at 12:27 PM, Ashley Drees <adrees at c-r.org> wrote:
> 
> I have recently had to migrate my FreeRADIUS from one sick OpenDirectory
> server to a "fresh" one.  FreeRadius was hard crashing whenever it got an
> eap authentication request on the "sick" server, on the newly promoted
> server it runs without crashing.

  Hmm... FreeRADIUS shouldn't crash.  I suspect there are issues in older versions which have since been fixed.

> the config checks out with XC and running as X works as expected.

  That's good.

> so with pap it seems to talk to OD nicely.. however...
> 
> if i try and authenticate with the same id trying to auth for WiFI (unifi
> access points) i get a fail and the offending stanza in the debug is

  Some magic OpenDirectory failure.  :(

  I've pushed a fix which makes the debug output look a little cleaner.  But I don't think it will help this issue.

> I am a bit stuck with this, I am unsure why pap it works and it fails with
> eap.

  Magic :(

> I did not fill this post with random logs, but if you have any ideas I can
> capture logs/configs etc as needed.
> 
> Thanks in advance.
> 
> I did have this working on the previous OD master, but a security update
> seemed to stop it working hence my migration efforts, I have followed the
> same "migration" document from Apple, but to be honest, after several days
> messing around I am just about ready to run up a VM and put FreeNAS into an
> Ubuntu box (if only I could be sure it would get its auth from OD)

  OpenDirectory is a bit of a "black box", unfortunately.  If following Apple's documentation doesn't work, there isn't a lot more we can do.

  I'd suggest trying the latest FreeRADIUS code from GitHub: https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.x.zip

  There are a number of small fixes in the OpenDirectory "glue" code which may help.  But if that doesn't work, I'm not sure what else to suggest.

  Alan DeKok.