Stripping the domain from the username
stuart at crossover.solutions
Tue Jan 14 22:59:55 CET 2020
Thanks for confirming that what we're trying to do just isn't possible. I
think I'm going to look into adding an alias to every user in the directory
that contains the username formatted as an email address so that OD is able
to successfully authenticate the user and the MS-CHAP calculations complete
On Sun, 12 Jan 2020 at 23:56, Alan DeKok <aland at deployingradius.com> wrote:
> On Jan 12, 2020, at 6:42 PM, Stuart Ramdeen <stuart at crossover.solutions>
> > Thank you for your reply. I have made the change you suggested and (in
> > my novice view) there now appears to be more progress than before.
> That's good, but...
> > I completely appreciate that it's an old build, but it was included
> > with an older version of macOS Server and I'm trying to get things
> > working before I attempt to update anything. It relies on an Apple
> > module 'opendirectory', which is responsible for querying the
> > directory service running on the Mac server, and so I don't want to
> > change anything yet until I can get things going. I certainly take
> > your point on board though and will look to update to 2.2.10 as soon
> > as possible.
> > Here is the latest debug output after making the change you suggested.
> > If I am interpreting this correctly, the 'radiustest at example.co.uk'
> > username is being stripped and passed to the directory server during
> > request 0:
> The User-Name is used to create a Stripped-User-Name attribute. The
> User-Name is *not* edited. This is important.
> Also, the "opendirectory" module is looking at Stripped-User-Name for
> user lookups. This is fine.
> > [opendirectory] User radiustest exists in OD
> > [opendirectory] User radiustest is a member of the RADUIS SACL
> > but by the time it gets to request 6 it is using the full username
> > rather than the portion before the @:
> > [mschap] Creating challenge hash with username: radiustest at example.co.uk
> > [mschap] Client is using MS-CHAPv2 for radiustest at example.co.uk, we
> > need NT-Password
> > [mschap] Using OpenDirectory to authenticate
> > [mschap] Unable to find record radiustest at example.co.uk in OD
> > [mschap] Authentication failed for radiustest at example.co.uk
> > ++[mschap] = fail
> Yes. "radiustest at example.co.uk" doesn't exist in OD.
> However, you should know that the MS-CHAP calculations are done on the
> full User-Name that is passed to FreeRADIUS. You *cannot* pass just a
> portion of the User-Name to OpenDirectory and expect the MS-CHAP
> calculations to work. They won't.
> > At this point the directory server is seeing a request for
> > radiustest at example.co.uk and rejecting it because of course the
> > username in that format does not exist. Do I need to change anything
> > so that the mschap module is creating the challenge hash with
> > 'radiustest' rather than 'radiustest at example.co.uk', or am I barking
> > up the wrong tree?
> What you want to do is impossible.
> OpenDirectory won't give FreeRADIUS the users password, so that
> FreeRADIUS can do the MS-CHAP calculations.
> OpenDirectory won't automatically look up just the "radiustest" portion
> of the users name, BUT use the whole "radiustest at example.co.uk" for the
> MS-CHAP calculations.
> Your options are:
> a) do PEAP with plain usernames, i.e. "radiustest" and not "
> radiustest at example.co.uk"
> b) put the users password into a database that FreeRADIUS can read.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
Crossover Solutions Ltd
Pound House, 62A Highgate High Street, London, N6
www.crossover.solutions <http://crossover.solutions> • 020 3637 4655
Registered in England and Wales No: 9593204 Registered address as stated
Members of the Apple Consultants Network
Please submit new support
requests to support at crossover.solutions
<mailto:support at crossover.solutions>
More information about the Freeradius-Users