FR 3.0.21 authenticating to OpenDirectory on macOS Catalina

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

FR 3.0.21 authenticating to OpenDirectory on macOS Catalina

Users mailing list
   Hello,

   FR compiled from source, configured according to Apple Support KB and
   tested authenticating successfully via PAP.

   However, MSCHAPv2 authentication failing.

   (3) Received Access-Request Id 27 from XXX to YYY length 134
   (3)   Service-Type = Framed-User
   (3)   Framed-Protocol = PPP
   (3)   User-Name = "jasonh"
   (3)   MS-CHAP-Challenge = 0x16595e62295ac4e32812a88453133fe1
   (3)   MS-CHAP2-Response =
   0x00326393cddb212a637ff9cac34ccfa379be00000000000000007f39e4bc2b1a7ac69
   523633cf0c147f5e3783267bc11a92e
   (3)   NAS-IP-Address = XXX
   (3)   NAS-Port = 0
   (3) # Executing section authorize from file
   /usr/local/etc/raddb/sites-enabled/default
   (3)   authorize {
   (3)     policy filter_username {
   (3)       if (&User-Name) {
   (3)       if (&User-Name)  -> TRUE
   (3)       if (&User-Name)  {
   (3)         if (&User-Name =~ / /) {
   (3)         if (&User-Name =~ / /)  -> FALSE
   (3)         if (&User-Name =~ /@[^@]*@/ ) {
   (3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
   (3)         if (&User-Name =~ /\.\./ ) {
   (3)         if (&User-Name =~ /\.\./ )  -> FALSE
   (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
    {
   (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
     -> FALSE
   (3)         if (&User-Name =~ /\.$/)  {
   (3)         if (&User-Name =~ /\.$/)   -> FALSE
   (3)         if (&User-Name =~ /@\./)  {
   (3)         if (&User-Name =~ /@\./)   -> FALSE
   (3)       } # if (&User-Name)  = notfound
   (3)     } # policy filter_username = notfound
   (3)     [preprocess] = ok
   (3) auth_log: EXPAND
   /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-
   Src-IPv6-Address}}/auth-detail-%Y%m%d
   (3) auth_log:    -->
   /usr/local/var/log/radius/radacct/192.168.90.254/auth-detail-20201120
   (3) auth_log:
   /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-
   Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
   /usr/local/var/log/radius/radacct/XXX/auth-detail-20201120
   (3) auth_log: EXPAND %t
   (3) auth_log:    --> Fri Nov 20 16:56:00 2020
   (3)     [auth_log] = ok
   (3)     [chap] = noop
   (3) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
   (3)     [mschap] = ok
   (3)     [digest] = noop
   (3) suffix: Checking for suffix after "@"
   (3) suffix: No '@' in User-Name = "jasonh", looking up realm NULL
   (3) suffix: No such realm "NULL"
   (3)     [suffix] = noop
   (3) eap: No EAP-Message, not doing EAP
   (3)     [eap] = noop
   (3) files: users: Matched entry DEFAULT at line 167
   (3)     [files] = ok
   (3) opendirectory: The SACL group "com.apple.access_radius" does not
   exist on this system.
   (3) opendirectory: The host XXX does not have an access group.
   (3) opendirectory: no access control groups, all users allowed
   (3)     [opendirectory] = ok
   (3) sql: EXPAND %{User-Name}
   (3) sql:    --> jasonh
   (3) sql: SQL-User-Name set to 'jasonh'
   rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for
   62 seconds
   rlm_sql (sql): You probably need to lower "min"
   rlm_sql_sqlite: Socket destructor called, closing socket
   rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for
   62 seconds
   rlm_sql (sql): You probably need to lower "min"
   rlm_sql_sqlite: Socket destructor called, closing socket
   rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for
   62 seconds
   rlm_sql (sql): You probably need to lower "min"
   rlm_sql_sqlite: Socket destructor called, closing socket
   rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase
   "spare"
   rlm_sql (sql): Opening additional connection (11), 1 of 32 pending
   slots used
   rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
   rlm_sql (sql): Reserved connection (11)
   (3) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
   WHERE username = '%{SQL-User-Name}' ORDER BY id
   (3) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
   WHERE username = 'jasonh' ORDER BY id
   (3) sql: Executing select query: SELECT id, username, attribute, value,
   op FROM radcheck WHERE username = 'jasonh' ORDER BY id
   (3) sql: WARNING: User not found in radcheck table.
   rlm_sql (sql): 1 of 1 connections in use.  You  may need to increase
   "spare"
   rlm_sql (sql): Opening additional connection (12), 1 of 31 pending
   slots used
   rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
   rlm_sql (sql): Reserved connection (12)
   rlm_sql (sql): Released connection (12)
   Need 1 more connections to reach min connections (3)
   rlm_sql (sql): Opening additional connection (13), 1 of 30 pending
   slots used
   rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
   (3) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
   '%{SQL-User-Name}' ORDER BY priority
   (3) sql:    --> SELECT groupname FROM radusergroup WHERE username =
   'jasonh' ORDER BY priority
   (3) sql: Executing select query: SELECT groupname FROM radusergroup
   WHERE username = 'jasonh' ORDER BY priority
   (3) sql: User not found in any groups
   rlm_sql (sql): Released connection (11)
   (3)     [sql] = notfound
   (3)     [expiration] = noop
   (3)     [logintime] = noop
   Not doing PAP as Auth-Type is already set.
   (3)     [pap] = noop
   (3)   } # authorize = ok
   (3) Found Auth-Type = mschap
   (3) # Executing group from file
   /usr/local/etc/raddb/sites-enabled/default
   (3)   authenticate {
   (3) mschap: WARNING: No Cleartext-Password configured.  Cannot create
   NT-Password
   (3) mschap: No NT-Password configured. Trying OpenDirectory
   Authentication
   (3) mschap: OD username_string = jasonh, OD shortUserName= (length =
   0)
   (3) mschap: ERROR: rlm_mschap: authentication failed - status =
   eUndefinedError
   (3)     [mschap] = reject
   (3)   } # authenticate = reject
   (3) Failed to authenticate the user
   (3) Using Post-Auth-Type Reject
   (3) # Executing group from file
   /usr/local/etc/raddb/sites-enabled/default
   (3)   Post-Auth-Type REJECT {
   (3) sql: EXPAND .query
   (3) sql:    --> .query
   (3) sql: Using query template 'query'
   rlm_sql (sql): Reserved connection (11)
   (3) sql: EXPAND %{User-Name}
   (3) sql:    --> jasonh
   (3) sql: SQL-User-Name set to 'jasonh'
   (3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
   authdate) VALUES ( '%{SQL-User-Name}',
   '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}',
   '%S.%M')
   (3) sql:    --> INSERT INTO radpostauth (username, pass, reply,
   authdate) VALUES ( 'jasonh', '', 'Access-Reject', '2020-11-20
   16:56:00.652402')
   (3) sql: Executing query: INSERT INTO radpostauth (username, pass,
   reply, authdate) VALUES ( 'jasonh', '', 'Access-Reject', '2020-11-20
   16:56:00.652402')
   (3) sql: SQL query returned: success
   (3) sql: 1 record(s) updated
   rlm_sql (sql): Released connection (11)
   (3)     [sql] = ok
   (3) attr_filter.access_reject: EXPAND %{User-Name}
   (3) attr_filter.access_reject:    --> jasonh
   (3) attr_filter.access_reject: Matched entry DEFAULT at line 11
   (3)     [attr_filter.access_reject] = updated
   (3)     [eap] = noop
   (3)     policy remove_reply_message_if_eap {
   (3)       if (&reply:EAP-Message && &reply:Reply-Message) {
   (3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
   (3)       else {
   (3)         [noop] = noop
   (3)       } # else = noop
   (3)     } # policy remove_reply_message_if_eap = noop
   (3)   } # Post-Auth-Type REJECT = updated
   (3) Login incorrect (mschap: rlm_mschap: authentication failed - status
   = eUndefinedError): [jasonh] (from client ZZZ port 0)
   (3) Delaying response for 1.000000 seconds
   Waking up in 0.3 seconds.
   Waking up in 0.6 seconds.
   (3) Sending delayed response
   (3) Sent Access-Reject Id 27 from YYY:1812 to XXX:56975 length 20
   Waking up in 3.9 seconds.
   (3) Cleaning up request packet ID 27 with timestamp +304
   Ready to process requests
   The relevant part I think is this one:
   (3)   authenticate {
   (3) mschap: WARNING: No Cleartext-Password configured.  Cannot create
   NT-Password
   (3) mschap: No NT-Password configured. Trying OpenDirectory
   Authentication
   (3) mschap: OD username_string = jasonh, OD shortUserName= (length =
   0)
   (3) mschap: ERROR: rlm_mschap: authentication failed - status =
   eUndefinedError
   (3)     [mschap] = reject

   As radtest client only support mschap v1, this skips the OpenDirectory
   (OD) authentication so doesn’t provide any further insights.

   I see there have been previous issues logged by others with the same
   error message, but no confirmation that these were ever fixed.

   Help?

   Thanks,

   Jason H
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FR 3.0.21 authenticating to OpenDirectory on macOS Catalina

Alan DeKok-2
On Nov 20, 2020, at 2:00 PM, Jason Holloway via Freeradius-Users <[hidden email]> wrote:

>
>   FR compiled from source, configured according to Apple Support KB and
>   tested authenticating successfully via PAP.
>
>   However, MSCHAPv2 authentication failing.
>
>   (3) mschap: WARNING: No Cleartext-Password configured.  Cannot create
>   NT-Password
>   (3) mschap: No NT-Password configured. Trying OpenDirectory
>   Authentication
>   (3) mschap: OD username_string = jasonh, OD shortUserName= (length =
>   0)
>   (3) mschap: ERROR: rlm_mschap: authentication failed - status =
>   eUndefinedError

  What a helpful error message. :(

  The issue here is that FreeRADIUS hands the MS-CHAP data to OpenDirectory, and OpenDirectory returns success / fail.  Or in this case, "error".

  Unless we get more information about how OpenDirectory works, there isn't much more that we can do.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FR 3.0.21 authenticating to OpenDirectory on macOS Catalina

Users mailing list
   Hi all,

   Alan, thank you for confirming what I suspected.

   Before I go tilting at windmills, has anyone on here successfully
   managed to integrate with OD under macOS Catalina for MSCHAPv2
   authentication?

   Thanks,

   Jason

   On 22 November 2020 at 14:03:39, Alan DeKok
   ([1][hidden email]) wrote:

   On Nov 20, 2020, at 2:00 PM, Jason Holloway via Freeradius-Users
   <[hidden email]> wrote:
   >
   > FR compiled from source, configured according to Apple Support KB and
   > tested authenticating successfully via PAP.
   >
   > However, MSCHAPv2 authentication failing.
   >
   > (3) mschap: WARNING: No Cleartext-Password configured. Cannot create
   > NT-Password
   > (3) mschap: No NT-Password configured. Trying OpenDirectory
   > Authentication
   > (3) mschap: OD username_string = jasonh, OD shortUserName= (length =
   > 0)
   > (3) mschap: ERROR: rlm_mschap: authentication failed - status =
   > eUndefinedError
   What a helpful error message. :(
   The issue here is that FreeRADIUS hands the MS-CHAP data to
   OpenDirectory, and OpenDirectory returns success / fail. Or in this
   case, "error".
   Unless we get more information about how OpenDirectory works, there
   isn't much more that we can do.
   Alan DeKok.
   -
   List info/subscribe/unsubscribe? See
   http://www.freeradius.org/list/users.html

References

   1. mailto:[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html