FR 3.0.21 authenticating to OpenDirectory on macOS Catalina
Jason Holloway
jason_holloway at mac.com
Fri Nov 20 20:00:53 CET 2020
Hello,
FR compiled from source, configured according to Apple Support KB and
tested authenticating successfully via PAP.
However, MSCHAPv2 authentication failing.
(3) Received Access-Request Id 27 from XXX to YYY length 134
(3) Service-Type = Framed-User
(3) Framed-Protocol = PPP
(3) User-Name = "jasonh"
(3) MS-CHAP-Challenge = 0x16595e62295ac4e32812a88453133fe1
(3) MS-CHAP2-Response =
0x00326393cddb212a637ff9cac34ccfa379be00000000000000007f39e4bc2b1a7ac69
523633cf0c147f5e3783267bc11a92e
(3) NAS-IP-Address = XXX
(3) NAS-Port = 0
(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) auth_log: EXPAND
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-
Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: -->
/usr/local/var/log/radius/radacct/192.168.90.254/auth-detail-20201120
(3) auth_log:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-
Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
/usr/local/var/log/radius/radacct/XXX/auth-detail-20201120
(3) auth_log: EXPAND %t
(3) auth_log: --> Fri Nov 20 16:56:00 2020
(3) [auth_log] = ok
(3) [chap] = noop
(3) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(3) [mschap] = ok
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "jasonh", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: No EAP-Message, not doing EAP
(3) [eap] = noop
(3) files: users: Matched entry DEFAULT at line 167
(3) [files] = ok
(3) opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
(3) opendirectory: The host XXX does not have an access group.
(3) opendirectory: no access control groups, all users allowed
(3) [opendirectory] = ok
(3) sql: EXPAND %{User-Name}
(3) sql: --> jasonh
(3) sql: SQL-User-Name set to 'jasonh'
rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for
62 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for
62 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for
62 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase
"spare"
rlm_sql (sql): Opening additional connection (11), 1 of 32 pending
slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Reserved connection (11)
(3) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(3) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'jasonh' ORDER BY id
(3) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'jasonh' ORDER BY id
(3) sql: WARNING: User not found in radcheck table.
rlm_sql (sql): 1 of 1 connections in use. You may need to increase
"spare"
rlm_sql (sql): Opening additional connection (12), 1 of 31 pending
slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Reserved connection (12)
rlm_sql (sql): Released connection (12)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (13), 1 of 30 pending
slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(3) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(3) sql: --> SELECT groupname FROM radusergroup WHERE username =
'jasonh' ORDER BY priority
(3) sql: Executing select query: SELECT groupname FROM radusergroup
WHERE username = 'jasonh' ORDER BY priority
(3) sql: User not found in any groups
rlm_sql (sql): Released connection (11)
(3) [sql] = notfound
(3) [expiration] = noop
(3) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(3) [pap] = noop
(3) } # authorize = ok
(3) Found Auth-Type = mschap
(3) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
(3) authenticate {
(3) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(3) mschap: No NT-Password configured. Trying OpenDirectory
Authentication
(3) mschap: OD username_string = jasonh, OD shortUserName= (length =
0)
(3) mschap: ERROR: rlm_mschap: authentication failed - status =
eUndefinedError
(3) [mschap] = reject
(3) } # authenticate = reject
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) sql: EXPAND .query
(3) sql: --> .query
(3) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (11)
(3) sql: EXPAND %{User-Name}
(3) sql: --> jasonh
(3) sql: SQL-User-Name set to 'jasonh'
(3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}',
'%S.%M')
(3) sql: --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'jasonh', '', 'Access-Reject', '2020-11-20
16:56:00.652402')
(3) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES ( 'jasonh', '', 'Access-Reject', '2020-11-20
16:56:00.652402')
(3) sql: SQL query returned: success
(3) sql: 1 record(s) updated
rlm_sql (sql): Released connection (11)
(3) [sql] = ok
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> jasonh
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Login incorrect (mschap: rlm_mschap: authentication failed - status
= eUndefinedError): [jasonh] (from client ZZZ port 0)
(3) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 27 from YYY:1812 to XXX:56975 length 20
Waking up in 3.9 seconds.
(3) Cleaning up request packet ID 27 with timestamp +304
Ready to process requests
The relevant part I think is this one:
(3) authenticate {
(3) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(3) mschap: No NT-Password configured. Trying OpenDirectory
Authentication
(3) mschap: OD username_string = jasonh, OD shortUserName= (length =
0)
(3) mschap: ERROR: rlm_mschap: authentication failed - status =
eUndefinedError
(3) [mschap] = reject
As radtest client only support mschap v1, this skips the OpenDirectory
(OD) authentication so doesn’t provide any further insights.
I see there have been previous issues logged by others with the same
error message, but no confirmation that these were ever fixed.
Help?
Thanks,
Jason H
More information about the Freeradius-Users
mailing list