Stripping the domain from the username
aland at deployingradius.com
Mon Jan 13 00:56:19 CET 2020
On Jan 12, 2020, at 6:42 PM, Stuart Ramdeen <stuart at crossover.solutions> wrote:
> Thank you for your reply. I have made the change you suggested and (in
> my novice view) there now appears to be more progress than before.
That's good, but...
> I completely appreciate that it's an old build, but it was included
> with an older version of macOS Server and I'm trying to get things
> working before I attempt to update anything. It relies on an Apple
> module 'opendirectory', which is responsible for querying the
> directory service running on the Mac server, and so I don't want to
> change anything yet until I can get things going. I certainly take
> your point on board though and will look to update to 2.2.10 as soon
> as possible.
> Here is the latest debug output after making the change you suggested.
> If I am interpreting this correctly, the 'radiustest at example.co.uk'
> username is being stripped and passed to the directory server during
> request 0:
The User-Name is used to create a Stripped-User-Name attribute. The User-Name is *not* edited. This is important.
Also, the "opendirectory" module is looking at Stripped-User-Name for user lookups. This is fine.
> [opendirectory] User radiustest exists in OD
> [opendirectory] User radiustest is a member of the RADUIS SACL
> but by the time it gets to request 6 it is using the full username
> rather than the portion before the @:
> [mschap] Creating challenge hash with username: radiustest at example.co.uk
> [mschap] Client is using MS-CHAPv2 for radiustest at example.co.uk, we
> need NT-Password
> [mschap] Using OpenDirectory to authenticate
> [mschap] Unable to find record radiustest at example.co.uk in OD
> [mschap] Authentication failed for radiustest at example.co.uk
> ++[mschap] = fail
Yes. "radiustest at example.co.uk" doesn't exist in OD.
However, you should know that the MS-CHAP calculations are done on the full User-Name that is passed to FreeRADIUS. You *cannot* pass just a portion of the User-Name to OpenDirectory and expect the MS-CHAP calculations to work. They won't.
> At this point the directory server is seeing a request for
> radiustest at example.co.uk and rejecting it because of course the
> username in that format does not exist. Do I need to change anything
> so that the mschap module is creating the challenge hash with
> 'radiustest' rather than 'radiustest at example.co.uk', or am I barking
> up the wrong tree?
What you want to do is impossible.
OpenDirectory won't give FreeRADIUS the users password, so that FreeRADIUS can do the MS-CHAP calculations.
OpenDirectory won't automatically look up just the "radiustest" portion of the users name, BUT use the whole "radiustest at example.co.uk" for the MS-CHAP calculations.
Your options are:
a) do PEAP with plain usernames, i.e. "radiustest" and not "radiustest at example.co.uk"
b) put the users password into a database that FreeRADIUS can read.
More information about the Freeradius-Users