Problems getting along with Open Directory

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Problems getting along with Open Directory

Philip Ershler
Hello,
I am trying to use LDAP access to Open Directory on a 10.14.6 machine. I installed Freeradius from MacPorts. I am attempting to use Freeradius to authenticate wireless users. If I make the following edit to /opt/local/etc/raddb/mods-config/files/authorize, I can make a wireless connection without problems.

# The canonical testing user which is in most of the
# examples.
#
#bob    Cleartext-Password := "hello"
#       Reply-Message := "Hello, %{User-Name}"
#

#
ershler Cleartext-Password := “mypass"
        Reply-Message := "Hello, %{User-Name}"
#

Here you can see the Reply-Message in several places as the authentication proceeds.

Received Access-Request Id 73 from 155.100.140.233:58880 to 155.100.140.85:1812 length 196
(9)   User-Name = "ershler"
(9)   NAS-IP-Address = 155.100.140.233
(9)   NAS-Port = 0
(9)   Called-Station-Id = "00-26-BB-74-F6-1F:CVRTI-G"
(9)   Calling-Station-Id = "A0-99-9B-10-AF-65"
(9)   Framed-MTU = 1400
(9)   NAS-Port-Type = Wireless-802.11
(9)   Connect-Info = "CONNECT 0Mbps 802.11"
(9)   EAP-Message = 0x02b200251900170303001a44ad024358ecd35da92afbb2e7970520a3c18852ced0f46ef259
(9)   State = 0xe2201e71ea92079232d7793ca94d3ef5
(9)   Message-Authenticator = 0x1383e35fceb57971f268e1e223750d27
(9) Restoring &session-state
(9)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9)   &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "ershler", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 178 length 37
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /opt/local/etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x9638639a978a7940
(9) eap: Finished EAP session with state 0xe2201e71ea920792
(9) eap: Previous EAP request found for state 0xe2201e71ea920792, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap:   EAP-Message = 0x02b200061a03
(9) eap_peap: Setting User-Name to ershler
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap:   EAP-Message = 0x02b200061a03
(9) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap:   User-Name = "ershler"
(9) eap_peap:   State = 0x9638639a978a79408050c69dcac660aa
(9) Virtual server inner-tunnel received request
(9)   EAP-Message = 0x02b200061a03
(9)   FreeRADIUS-Proxied-To = 127.0.0.1
(9)   User-Name = "ershler"
(9)   State = 0x9638639a978a79408050c69dcac660aa
(9) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(9) server inner-tunnel {
(9)   session-state: No cached attributes
(9)   # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(9)     authorize {
(9)       policy filter_username {
(9)         if (&User-Name) {
(9)         if (&User-Name)  -> TRUE
(9)         if (&User-Name)  {
(9)           if (&User-Name =~ / /) {
(9)           if (&User-Name =~ / /)  -> FALSE
(9)           if (&User-Name =~ /@[^@]*@/ ) {
(9)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)           if (&User-Name =~ /\.\./ ) {
(9)           if (&User-Name =~ /\.\./ )  -> FALSE
(9)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)           if (&User-Name =~ /\.$/)  {
(9)           if (&User-Name =~ /\.$/)   -> FALSE
(9)           if (&User-Name =~ /@\./)  {
(9)           if (&User-Name =~ /@\./)   -> FALSE
(9)         } # if (&User-Name)  = notfound
(9)       } # policy filter_username = notfound
(9)       [chap] = noop
(9)       [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "ershler", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)       [suffix] = noop
(9)       update control {
(9)         &Proxy-To-Realm := LOCAL
(9)       } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 178 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)       [eap] = updated
(9) files: users: Matched entry ershler at line 92
(9) files: EXPAND Hello, %{User-Name}
(9) files:    --> Hello, ershler
(9)       [files] = ok
(9)       [expiration] = noop
(9)       [logintime] = noop
(9) pap: WARNING: Auth-Type already set.  Not setting to PAP
(9)       [pap] = noop
(9)     } # authorize = updated
(9)   Found Auth-Type = eap
(9)   # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(9)     authenticate {
(9) eap: Expiring EAP session with state 0x9638639a978a7940
(9) eap: Finished EAP session with state 0x9638639a978a7940
(9) eap: Previous EAP request found for state 0x9638639a978a7940, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 178 length 4
(9) eap: Freeing handler
(9)       [eap] = ok
(9)     } # authenticate = ok
(9)   # Executing section post-auth from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(9)     post-auth {
(9)       if (0) {
(9)       if (0)  -> FALSE
(9)     } # post-auth = noop
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9)   Reply-Message = "Hello, ershler"
(9)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9)   MS-MPPE-Send-Key = 0x7a8a71ab9a85e2ccc32c93159586c440
(9)   MS-MPPE-Recv-Key = 0x5731187423009b1ee0e1a8ce75e482ca
(9)   EAP-Message = 0x03b20004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name = "ershler"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap:   Reply-Message = "Hello, ershler"
(9) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap:   MS-MPPE-Send-Key = 0x7a8a71ab9a85e2ccc32c93159586c440
(9) eap_peap:   MS-MPPE-Recv-Key = 0x5731187423009b1ee0e1a8ce75e482ca
(9) eap_peap:   EAP-Message = 0x03b20004
(9) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap:   User-Name = "ershler"
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap:   Reply-Message = "Hello, ershler”

**************************************************************************************


With dscl, I can see the following apple-enabled-auth-mech enabled

admin$ dscl /LDAPv3/127.0.0.1 read /Config/dirserv apple-enabled-auth-mech
dsAttrTypeNative:apple-enabled-auth-mech: DHX DIGEST-MD5 GSSAPI SRP CRAM-MD5 WEBDAV-DIGEST SMB-NTLMv3 EAP-MSCHAPv2 SMB-NTLMv2

If I take my name and password out of /opt/local/etc/raddb/mods-config/files/authorize, then I get the following errors from FreeRadius. I am wondering what or where the problem is.


**************************************************************************************

(30)   FreeRADIUS-Proxied-To = 127.0.0.1
(30)   User-Name = "ershler"
(30)   State = 0xfdbd9f93fd6a85f8a445b5c272e47828
(30) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(30) server inner-tunnel {
(30)   session-state: No cached attributes
(30)   # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30)     authorize {
(30)       policy filter_username {
(30)         if (&User-Name) {
(30)         if (&User-Name)  -> TRUE
(30)         if (&User-Name)  {
(30)           if (&User-Name =~ / /) {
(30)           if (&User-Name =~ / /)  -> FALSE
(30)           if (&User-Name =~ /@[^@]*@/ ) {
(30)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(30)           if (&User-Name =~ /\.\./ ) {
(30)           if (&User-Name =~ /\.\./ )  -> FALSE
(30)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(30)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(30)           if (&User-Name =~ /\.$/)  {
(30)           if (&User-Name =~ /\.$/)   -> FALSE
(30)           if (&User-Name =~ /@\./)  {
(30)           if (&User-Name =~ /@\./)   -> FALSE
(30)         } # if (&User-Name)  = notfound
(30)       } # policy filter_username = notfound
(30)       [chap] = noop
(30)       [mschap] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "ershler", looking up realm NULL
(30) suffix: No such realm "NULL"
(30)       [suffix] = noop
(30)       update control {
(30)         &Proxy-To-Realm := LOCAL
(30)       } # update control = noop
(30) eap: Peer sent EAP Response (code 2) ID 215 length 66
(30) eap: No EAP Start, assuming it's an on-going EAP conversation
(30)       [eap] = updated
(30)       [files] = noop
(30)       [expiration] = noop
(30)       [logintime] = noop
(30)       [pap] = noop
(30)     } # authorize = updated
(30)   Found Auth-Type = eap
(30)   # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30)     authenticate {
(30) eap: Expiring EAP session with state 0xfdbd9f93fd6a85f8
(30) eap: Finished EAP session with state 0xfdbd9f93fd6a85f8
(30) eap: Previous EAP request found for state 0xfdbd9f93fd6a85f8, released from the list
(30) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(30) eap: Calling submodule eap_mschapv2 to process data
(30) eap_mschapv2: # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30) eap_mschapv2:   authenticate {
(30) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(30) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
(30) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(30) mschap: OD username_string = ershler, OD shortUserName=ershler (length = 7)
(30) mschap: ERROR: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported
(30) eap_mschapv2:     [mschap] = reject
(30) eap_mschapv2:   } # authenticate = reject
(30) eap: Sending EAP Failure (code 4) ID 215 length 4
(30) eap: Freeing handler
(30)       [eap] = reject
(30)     } # authenticate = reject
(30)   Failed to authenticate the user
(30)   Using Post-Auth-Type Reject
(30)   # Executing group from file /opt/local/etc/raddb/sites-enabled/inner-tunnel
(30)     Post-Auth-Type REJECT {
(30) attr_filter.access_reject: EXPAND %{User-Name}
(30) attr_filter.access_reject:    --> ershler
(30) attr_filter.access_reject: Matched entry DEFAULT at line 11
(30)       [attr_filter.access_reject] = updated
(30)       update outer.session-state {
(30)         &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported'
(30)       } # update outer.session-state = noop
(30)     } # Post-Auth-Type REJECT = updated
(30) } # server inner-tunnel



************************************************************************************


Thanks,
Phil Ershler


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problems getting along with Open Directory

Alan DeKok-2
On Sep 30, 2019, at 6:24 PM, Philip Ershler <[hidden email]> wrote:
> I am trying to use LDAP access to Open Directory on a 10.14.6 machine. I installed Freeradius from MacPorts. I am attempting to use Freeradius to authenticate wireless users. If I make the following edit to /opt/local/etc/raddb/mods-config/files/authorize, I can make a wireless connection without problems.
> ...
> (30) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (30) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
> (30) mschap: No NT-Password configured. Trying OpenDirectory Authentication
> (30) mschap: OD username_string = ershler, OD shortUserName=ershler (length = 7)
> (30) mschap: ERROR: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported

  That is unfortunately OpenDirectory magic.  We don't really know much about it, and it's difficult to help.  This is really a question for Apple.

  You have to configure OpenDirectory properly.  What does that mean?  We're not sure.  OpenDirectory is from Apple, not us.

  Apple does have some documentation available at:

https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf

  That may help.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html