Discussion:
Help configuring FreeRADIUS on OS X Server - ERROR: (2) mschap:
(too old to reply)
Eric Wittle
2018-12-03 02:47:30 UTC
Permalink
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf, pages 12-16), authentication fails.

I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.

Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.

Thanks in advance.

-Eric



-
List info/subscribe/unsubscribe? See http://www.freeradiu
Matthew Newton
2018-12-03 09:39:07 UTC
Permalink
Post by Eric Wittle
(null): status = eServerError” in the radius.log file.
That error resulted from trying to connect to OpenDirectory.

Does OpenDirectory log anything useful?
Post by Eric Wittle
Following the instructions on the user list, I captured the attached
debug file. Any help would be appreciated, because I’m a bit lost.
Debug was missing. Can you just paste it into the e-mail rather than
attaching it. Use just "-X", don't use "-Xx" or other variants.
--
Matthew

-
List info/subscribe/unsubscribe? See http://
Eric Wittle
2018-12-03 10:41:42 UTC
Permalink
Pasted this time…

FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = opendirectory
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
use_open_directory = yes
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_opendirectory
# Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_sqlite"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
Creating attribute SQL-Group
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.key"
certificate_file = "/usr/local/etc/raddb/certs/server.crt"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_sqlite: libsqlite version: 3.19.3
sqlite {
filename = "/var/db/radius/freeradius.db"
busy_timeout = 200
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net) to global clients list
rlm_sql (192.168.1.1): Client "router.wittle.net" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 59453
Listening on proxy address :: port 59454
Ready to process requests
(0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "eric"
(0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
(0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "eric", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0) [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
(0) mschap: Stepbuf server challenge :
ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
(0) mschap: Stepbuf peer challenge :
ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
(0) mschap: Stepbuf p24 :
5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +27
Ready to process requests
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
Eric Wittle
2018-12-03 11:14:53 UTC
Permalink
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.

The contents of ApplePasswordServer.Error.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
-- Start: Server rolled log on: Nov 13 2018 21:17:19 --
Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT

The tail end of ApplePasswordServer.Server.Log

bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
Dec 2 2018 14:52:43 233320us Stopping server processes ...
Dec 2 2018 14:52:43 234062us Closing all incoming connections ...
Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10
Dec 2 2018 14:52:43 234669us Stopping Network Processes ...
Dec 2 2018 14:52:43 234682us Deinitializing networking ...
Dec 2 2018 14:52:43 234701us Server Processes Stopped ...
Dec 2 2018 14:52:43 234718us RunAppThread Stopped
Dec 2 2018 14:52:43 234747us RunAppThread Deleted
Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018
.
Dec 2 2018 14:52:47 755702us RunAppThread Created
Dec 2 2018 14:52:47 755746us RunAppThread Started
Dec 2 2018 14:52:47 755760us Initializing Server Globals ...
Dec 2 2018 14:52:47 768754us Initializing Networking ...
Dec 2 2018 14:52:47 768819us Initializing TCP ...
Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET"
Dec 2 2018 14:52:47 824367us Starting Central Thread ...
Dec 2 2018 14:52:47 824401us Starting other server processes ...
Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop
Dec 2 2018 14:52:47 824451us Initializing TCP ...
Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 14:52:47 825558us Finished starting other server processes ...
Dec 2 2018 14:52:47 825582us -- Password Server successfully started --
Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec --
Dec 2 2018 15:03:32 701865us Stopping server processes ...
Dec 2 2018 15:03:32 702676us Closing all incoming connections ...
Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:03:32 703930us Stopping Network Processes ...
Dec 2 2018 15:03:32 703944us Deinitializing networking ...
Dec 2 2018 15:03:32 703960us Server Processes Stopped ...
Dec 2 2018 15:03:32 703977us RunAppThread Stopped
Dec 2 2018 15:03:32 703989us RunAppThread Deleted
Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018
.
Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018
.
Dec 2 2018 15:03:43 644253us RunAppThread Created
Dec 2 2018 15:03:43 644295us RunAppThread Started
Dec 2 2018 15:03:43 644316us Initializing Server Globals ...
Dec 2 2018 15:03:43 677609us Initializing Networking ...
Dec 2 2018 15:03:43 677736us Initializing TCP ...
Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET"
Dec 2 2018 15:03:43 692877us Starting Central Thread ...
Dec 2 2018 15:03:43 692895us Starting other server processes ...
Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:03:43 692938us Initializing TCP ...
Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:03:43 694190us Finished starting other server processes ...
Dec 2 2018 15:03:43 694212us -- Password Server successfully started --
Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec --
Dec 2 2018 15:05:24 289083us Stopping server processes ...
Dec 2 2018 15:05:24 289128us Closing all incoming connections ...
Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:05:24 290086us Stopping Network Processes ...
Dec 2 2018 15:05:24 290098us Deinitializing networking ...
Dec 2 2018 15:05:24 290113us Server Processes Stopped ...
Dec 2 2018 15:05:24 290129us RunAppThread Stopped
Dec 2 2018 15:05:24 290142us RunAppThread Deleted
Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018
.
Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018
.
Dec 2 2018 15:07:34 103718us RunAppThread Created
Dec 2 2018 15:07:34 103758us RunAppThread Started
Dec 2 2018 15:07:34 103779us Initializing Server Globals ...
Dec 2 2018 15:07:34 118899us Initializing Networking ...
Dec 2 2018 15:07:34 118961us Initializing TCP ...
Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET"
Dec 2 2018 15:07:34 139134us Starting Central Thread ...
Dec 2 2018 15:07:34 139141us Starting other server processes ...
Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:07:34 139174us Initializing TCP ...
Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:07:34 140156us Finished starting other server processes ...
Dec 2 2018 15:07:34 140178us -- Password Server successfully started --
Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec --
Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.

It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.

I’ll take a look and see if radiusconfig is a script…

-Eric
Post by Eric Wittle
Pasted this time…
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com <http://example.com/> {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = opendirectory
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
use_open_directory = yes
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_opendirectory
# Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_sqlite"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
Creating attribute SQL-Group
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.key"
certificate_file = "/usr/local/etc/raddb/certs/server.crt"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_sqlite: libsqlite version: 3.19.3
sqlite {
filename = "/var/db/radius/freeradius.db"
busy_timeout = 200
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 59453
Listening on proxy address :: port 59454
Ready to process requests
(0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "eric"
(0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
(0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0) [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +27
Ready to process requests
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
-
List info/subscribe/unsubscribe? See http://www.free
Eric Wittle
2018-12-03 11:26:55 UTC
Permalink
OK, that’s not it. I just shut down the Apple Server FreeRadius (radiusconfig -stop), started the version I built according to the migration instructions (/usr/local/sbin/radiusd -X), and tried to access the VPN. There was one additional entry added to the ApplePasswordServer.Server.log:

Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.

So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.

-Eric
Post by Eric Wittle
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
The contents of ApplePasswordServer.Error.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
-- Start: Server rolled log on: Nov 13 2018 21:17:19 --
Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT
The tail end of ApplePasswordServer.Server.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
Dec 2 2018 14:52:43 233320us Stopping server processes ...
Dec 2 2018 14:52:43 234062us Closing all incoming connections ...
Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10
Dec 2 2018 14:52:43 234669us Stopping Network Processes ...
Dec 2 2018 14:52:43 234682us Deinitializing networking ...
Dec 2 2018 14:52:43 234701us Server Processes Stopped ...
Dec 2 2018 14:52:43 234718us RunAppThread Stopped
Dec 2 2018 14:52:43 234747us RunAppThread Deleted
Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018
.
Dec 2 2018 14:52:47 755702us RunAppThread Created
Dec 2 2018 14:52:47 755746us RunAppThread Started
Dec 2 2018 14:52:47 755760us Initializing Server Globals ...
Dec 2 2018 14:52:47 768754us Initializing Networking ...
Dec 2 2018 14:52:47 768819us Initializing TCP ...
Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 14:52:47 824367us Starting Central Thread ...
Dec 2 2018 14:52:47 824401us Starting other server processes ...
Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop
Dec 2 2018 14:52:47 824451us Initializing TCP ...
Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 14:52:47 825558us Finished starting other server processes ...
Dec 2 2018 14:52:47 825582us -- Password Server successfully started --
Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec --
Dec 2 2018 15:03:32 701865us Stopping server processes ...
Dec 2 2018 15:03:32 702676us Closing all incoming connections ...
Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:03:32 703930us Stopping Network Processes ...
Dec 2 2018 15:03:32 703944us Deinitializing networking ...
Dec 2 2018 15:03:32 703960us Server Processes Stopped ...
Dec 2 2018 15:03:32 703977us RunAppThread Stopped
Dec 2 2018 15:03:32 703989us RunAppThread Deleted
Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018
.
Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018
.
Dec 2 2018 15:03:43 644253us RunAppThread Created
Dec 2 2018 15:03:43 644295us RunAppThread Started
Dec 2 2018 15:03:43 644316us Initializing Server Globals ...
Dec 2 2018 15:03:43 677609us Initializing Networking ...
Dec 2 2018 15:03:43 677736us Initializing TCP ...
Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 15:03:43 692877us Starting Central Thread ...
Dec 2 2018 15:03:43 692895us Starting other server processes ...
Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:03:43 692938us Initializing TCP ...
Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:03:43 694190us Finished starting other server processes ...
Dec 2 2018 15:03:43 694212us -- Password Server successfully started --
Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec --
Dec 2 2018 15:05:24 289083us Stopping server processes ...
Dec 2 2018 15:05:24 289128us Closing all incoming connections ...
Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:05:24 290086us Stopping Network Processes ...
Dec 2 2018 15:05:24 290098us Deinitializing networking ...
Dec 2 2018 15:05:24 290113us Server Processes Stopped ...
Dec 2 2018 15:05:24 290129us RunAppThread Stopped
Dec 2 2018 15:05:24 290142us RunAppThread Deleted
Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018
.
Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018
.
Dec 2 2018 15:07:34 103718us RunAppThread Created
Dec 2 2018 15:07:34 103758us RunAppThread Started
Dec 2 2018 15:07:34 103779us Initializing Server Globals ...
Dec 2 2018 15:07:34 118899us Initializing Networking ...
Dec 2 2018 15:07:34 118961us Initializing TCP ...
Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 15:07:34 139134us Starting Central Thread ...
Dec 2 2018 15:07:34 139141us Starting other server processes ...
Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:07:34 139174us Initializing TCP ...
Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:07:34 140156us Finished starting other server processes ...
Dec 2 2018 15:07:34 140178us -- Password Server successfully started --
Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec --
Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
I’ll take a look and see if radiusconfig is a script…
-Eric
Post by Eric Wittle
Pasted this time…
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com <http://example.com/> {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = opendirectory
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
use_open_directory = yes
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_opendirectory
# Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_sqlite"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
Creating attribute SQL-Group
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.key"
certificate_file = "/usr/local/etc/raddb/certs/server.crt"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_sqlite: libsqlite version: 3.19.3
sqlite {
filename = "/var/db/radius/freeradius.db"
busy_timeout = 200
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 59453
Listening on proxy address :: port 59454
Ready to process requests
(0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "eric"
(0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
(0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0) [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +27
Ready to process requests
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
-
List info/subscribe/unsubscr
Eric Wittle
2018-12-03 11:48:54 UTC
Permalink
In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.

-Eric

rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "eric"
MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc
MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No '@' in User-Name = "eric", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 178
++[files] = ok
[opendirectory] The host 192.168.1.1 does not have an access group.
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: eric
[mschap] Client is using MS-CHAPv2 for eric, we need NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Doing OD MSCHAPv2 auth
[mschap] Successful authentication for eric
++[mschap] = ok
+} # group MS-CHAP = ok
Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net port 0)
# Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 2 to 192.168.1.1 port 60795
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96
Acct-Session-Id = "5C0514303B2A00"
User-Name = "eric"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 192.168.6.100
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Acct-Delay-Time = 0
# Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default
+group preacct {
++[preprocess] = ok
[acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"'
[acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184".
++[acct_unique] = ok
[suffix] No '@' in User-Name = "eric", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default
+group accounting {
[detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1
[detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203
[detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203
[detail] expand: %t -> Mon Dec 3 06:32:00 2018
++[detail] = ok
++[exec] = noop
[attr_filter.accounting_response] expand: %{User-Name} -> eric
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
+} # group accounting = updated
Sending Accounting-Response of id 3 to 192.168.1.1 port 40029
Finished request 1.
Cleaning up request 1 ID 3 with timestamp +23
Going to the next request
Waking up in 4.3 seconds.
Cleaning up request 0 ID 2 with timestamp +22
Ready to process requests.
Post by Eric Wittle
Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
-Eric
Post by Eric Wittle
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
The contents of ApplePasswordServer.Error.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
-- Start: Server rolled log on: Nov 13 2018 21:17:19 --
Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT
The tail end of ApplePasswordServer.Server.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
Dec 2 2018 14:52:43 233320us Stopping server processes ...
Dec 2 2018 14:52:43 234062us Closing all incoming connections ...
Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10
Dec 2 2018 14:52:43 234669us Stopping Network Processes ...
Dec 2 2018 14:52:43 234682us Deinitializing networking ...
Dec 2 2018 14:52:43 234701us Server Processes Stopped ...
Dec 2 2018 14:52:43 234718us RunAppThread Stopped
Dec 2 2018 14:52:43 234747us RunAppThread Deleted
Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018
.
Dec 2 2018 14:52:47 755702us RunAppThread Created
Dec 2 2018 14:52:47 755746us RunAppThread Started
Dec 2 2018 14:52:47 755760us Initializing Server Globals ...
Dec 2 2018 14:52:47 768754us Initializing Networking ...
Dec 2 2018 14:52:47 768819us Initializing TCP ...
Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 14:52:47 824367us Starting Central Thread ...
Dec 2 2018 14:52:47 824401us Starting other server processes ...
Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop
Dec 2 2018 14:52:47 824451us Initializing TCP ...
Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 14:52:47 825558us Finished starting other server processes ...
Dec 2 2018 14:52:47 825582us -- Password Server successfully started --
Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec --
Dec 2 2018 15:03:32 701865us Stopping server processes ...
Dec 2 2018 15:03:32 702676us Closing all incoming connections ...
Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:03:32 703930us Stopping Network Processes ...
Dec 2 2018 15:03:32 703944us Deinitializing networking ...
Dec 2 2018 15:03:32 703960us Server Processes Stopped ...
Dec 2 2018 15:03:32 703977us RunAppThread Stopped
Dec 2 2018 15:03:32 703989us RunAppThread Deleted
Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018
.
Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018
.
Dec 2 2018 15:03:43 644253us RunAppThread Created
Dec 2 2018 15:03:43 644295us RunAppThread Started
Dec 2 2018 15:03:43 644316us Initializing Server Globals ...
Dec 2 2018 15:03:43 677609us Initializing Networking ...
Dec 2 2018 15:03:43 677736us Initializing TCP ...
Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 15:03:43 692877us Starting Central Thread ...
Dec 2 2018 15:03:43 692895us Starting other server processes ...
Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:03:43 692938us Initializing TCP ...
Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:03:43 694190us Finished starting other server processes ...
Dec 2 2018 15:03:43 694212us -- Password Server successfully started --
Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec --
Dec 2 2018 15:05:24 289083us Stopping server processes ...
Dec 2 2018 15:05:24 289128us Closing all incoming connections ...
Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:05:24 290086us Stopping Network Processes ...
Dec 2 2018 15:05:24 290098us Deinitializing networking ...
Dec 2 2018 15:05:24 290113us Server Processes Stopped ...
Dec 2 2018 15:05:24 290129us RunAppThread Stopped
Dec 2 2018 15:05:24 290142us RunAppThread Deleted
Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018
.
Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018
.
Dec 2 2018 15:07:34 103718us RunAppThread Created
Dec 2 2018 15:07:34 103758us RunAppThread Started
Dec 2 2018 15:07:34 103779us Initializing Server Globals ...
Dec 2 2018 15:07:34 118899us Initializing Networking ...
Dec 2 2018 15:07:34 118961us Initializing TCP ...
Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 15:07:34 139134us Starting Central Thread ...
Dec 2 2018 15:07:34 139141us Starting other server processes ...
Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:07:34 139174us Initializing TCP ...
Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:07:34 140156us Finished starting other server processes ...
Dec 2 2018 15:07:34 140178us -- Password Server successfully started --
Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec --
Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
I’ll take a look and see if radiusconfig is a script…
-Eric
Post by Eric Wittle
Pasted this time…
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com <http://example.com/> {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = opendirectory
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
use_open_directory = yes
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_opendirectory
# Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_sqlite"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
Creating attribute SQL-Group
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.key"
certificate_file = "/usr/local/etc/raddb/certs/server.crt"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_sqlite: libsqlite version: 3.19.3
sqlite {
filename = "/var/db/radius/freeradius.db"
busy_timeout = 200
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 59453
Listening on proxy address :: port 59454
Ready to process requests
(0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "eric"
(0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
(0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0) [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +27
Ready to process requests
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
-
List info/subscribe/unsubscribe? See h
Eric Wittle
2018-12-03 12:16:51 UTC
Permalink
And finally what success and failure look like from the router’s messages log:

Successful authentication with OS X Server’s FreeRADIUS 2.10:

Dec 3 12:11:39 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 60074. Local: 33742, Remote: 28 (ref=0/0). LNS session is 'default'
Dec 3 12:11:39 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17357, Local: 45819, Remote: 7746, Serial: 1
Dec 3 12:11:39 ubnt pppd[17357]: pppd 2.4.4 started by root, uid 0
Dec 3 12:11:39 ubnt pppd[17357]: Connect: ppp0 <-->
Dec 3 12:11:42 ubnt pppd[17357]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received
Dec 3 12:11:43 ubnt pppd[17357]: Cannot determine ethernet address for proxy ARP
Dec 3 12:11:43 ubnt pppd[17357]: local IP address 10.255.255.0
Dec 3 12:11:43 ubnt pppd[17357]: remote IP address 192.168.6.100
Dec 3 12:12:23 ubnt pppd[17357]: Connection terminated: no multilink.
Dec 3 12:12:23 ubnt pppd[17357]: Modem hangup

Failed authentication with manually installed FreeRadius 3

Dec 3 12:13:03 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 49849. Local: 23776, Remote: 29 (ref=0/0). LNS session is 'default'
Dec 3 12:13:03 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17610, Local: 11728, Remote: 7750, Serial: 1
Dec 3 12:13:03 ubnt pppd[17610]: pppd 2.4.4 started by root, uid 0
Dec 3 12:13:03 ubnt pppd[17610]: Connect: ppp0 <-->
Dec 3 12:13:06 ubnt pppd[17610]:
Dec 3 12:13:06 ubnt pppd[17610]: Peer eric failed CHAP authentication
Dec 3 12:13:12 ubnt pppd[17610]: Connection terminated: no multilink.
Dec 3 12:13:12 ubnt pppd[17610]: Modem hangup

-Eric
Post by Eric Wittle
In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.
-Eric
rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "eric"
MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc
MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 178
++[files] = ok
[opendirectory] The host 192.168.1.1 does not have an access group.
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: eric
[mschap] Client is using MS-CHAPv2 for eric, we need NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Doing OD MSCHAPv2 auth
[mschap] Successful authentication for eric
++[mschap] = ok
+} # group MS-CHAP = ok
Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net <http://router.wittle.net/> port 0)
# Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 2 to 192.168.1.1 port 60795
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96
Acct-Session-Id = "5C0514303B2A00"
User-Name = "eric"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 192.168.6.100
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Acct-Delay-Time = 0
# Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default
+group preacct {
++[preprocess] = ok
[acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"'
[acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184".
++[acct_unique] = ok
[suffix] No such realm "NULL"
++[suffix] = noop
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default
+group accounting {
[detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1
[detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203
[detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203
[detail] expand: %t -> Mon Dec 3 06:32:00 2018
++[detail] = ok
++[exec] = noop
[attr_filter.accounting_response] expand: %{User-Name} -> eric
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
+} # group accounting = updated
Sending Accounting-Response of id 3 to 192.168.1.1 port 40029
Finished request 1.
Cleaning up request 1 ID 3 with timestamp +23
Going to the next request
Waking up in 4.3 seconds.
Cleaning up request 0 ID 2 with timestamp +22
Ready to process requests.
Post by Eric Wittle
Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
-Eric
Post by Eric Wittle
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
The contents of ApplePasswordServer.Error.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
-- Start: Server rolled log on: Nov 13 2018 21:17:19 --
Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT
The tail end of ApplePasswordServer.Server.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
Dec 2 2018 14:52:43 233320us Stopping server processes ...
Dec 2 2018 14:52:43 234062us Closing all incoming connections ...
Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10
Dec 2 2018 14:52:43 234669us Stopping Network Processes ...
Dec 2 2018 14:52:43 234682us Deinitializing networking ...
Dec 2 2018 14:52:43 234701us Server Processes Stopped ...
Dec 2 2018 14:52:43 234718us RunAppThread Stopped
Dec 2 2018 14:52:43 234747us RunAppThread Deleted
Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018
.
Dec 2 2018 14:52:47 755702us RunAppThread Created
Dec 2 2018 14:52:47 755746us RunAppThread Started
Dec 2 2018 14:52:47 755760us Initializing Server Globals ...
Dec 2 2018 14:52:47 768754us Initializing Networking ...
Dec 2 2018 14:52:47 768819us Initializing TCP ...
Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 14:52:47 824367us Starting Central Thread ...
Dec 2 2018 14:52:47 824401us Starting other server processes ...
Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop
Dec 2 2018 14:52:47 824451us Initializing TCP ...
Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 14:52:47 825558us Finished starting other server processes ...
Dec 2 2018 14:52:47 825582us -- Password Server successfully started --
Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec --
Dec 2 2018 15:03:32 701865us Stopping server processes ...
Dec 2 2018 15:03:32 702676us Closing all incoming connections ...
Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:03:32 703930us Stopping Network Processes ...
Dec 2 2018 15:03:32 703944us Deinitializing networking ...
Dec 2 2018 15:03:32 703960us Server Processes Stopped ...
Dec 2 2018 15:03:32 703977us RunAppThread Stopped
Dec 2 2018 15:03:32 703989us RunAppThread Deleted
Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018
.
Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018
.
Dec 2 2018 15:03:43 644253us RunAppThread Created
Dec 2 2018 15:03:43 644295us RunAppThread Started
Dec 2 2018 15:03:43 644316us Initializing Server Globals ...
Dec 2 2018 15:03:43 677609us Initializing Networking ...
Dec 2 2018 15:03:43 677736us Initializing TCP ...
Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 15:03:43 692877us Starting Central Thread ...
Dec 2 2018 15:03:43 692895us Starting other server processes ...
Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:03:43 692938us Initializing TCP ...
Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:03:43 694190us Finished starting other server processes ...
Dec 2 2018 15:03:43 694212us -- Password Server successfully started --
Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec --
Dec 2 2018 15:05:24 289083us Stopping server processes ...
Dec 2 2018 15:05:24 289128us Closing all incoming connections ...
Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:05:24 290086us Stopping Network Processes ...
Dec 2 2018 15:05:24 290098us Deinitializing networking ...
Dec 2 2018 15:05:24 290113us Server Processes Stopped ...
Dec 2 2018 15:05:24 290129us RunAppThread Stopped
Dec 2 2018 15:05:24 290142us RunAppThread Deleted
Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018
.
Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018
.
Dec 2 2018 15:07:34 103718us RunAppThread Created
Dec 2 2018 15:07:34 103758us RunAppThread Started
Dec 2 2018 15:07:34 103779us Initializing Server Globals ...
Dec 2 2018 15:07:34 118899us Initializing Networking ...
Dec 2 2018 15:07:34 118961us Initializing TCP ...
Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 15:07:34 139134us Starting Central Thread ...
Dec 2 2018 15:07:34 139141us Starting other server processes ...
Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:07:34 139174us Initializing TCP ...
Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:07:34 140156us Finished starting other server processes ...
Dec 2 2018 15:07:34 140178us -- Password Server successfully started --
Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec --
Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
I’ll take a look and see if radiusconfig is a script…
-Eric
Post by Eric Wittle
Pasted this time…
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com <http://example.com/> {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = opendirectory
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
use_open_directory = yes
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_opendirectory
# Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_sqlite"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
Creating attribute SQL-Group
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.key"
certificate_file = "/usr/local/etc/raddb/certs/server.crt"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_sqlite: libsqlite version: 3.19.3
sqlite {
filename = "/var/db/radius/freeradius.db"
busy_timeout = 200
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 59453
Listening on proxy address :: port 59454
Ready to process requests
(0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "eric"
(0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
(0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0) [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +27
Ready to process requests
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
-
List info/subscribe/unsubscribe? See http://www.free
Eric Wittle
2018-12-04 01:58:43 UTC
Permalink
I looked over the debug output from attempts that should have succeeded (valid username and password), vs. those that should have failed (invalid password). It seems like the result description is the following for a valid username / password:

(1) Sent Access-Reject Id 10 from 192.168.1.2:1812 to 192.168.1.1:43315 length 20

and this for an invalid password:

(0) Sent Access-Reject Id 9 from 192.168.1.2:1812 to 192.168.1.1:48225 length 20

That seems to imply that FreeRADIUS 3.0.17 is doing the right thing, but somehow the results for the Ubiquiti EdgeRouter VPN authentication are different. Am I reading the log correctly?

I’ve posted in the Ubiquiti forums asking for help there as well, assuming that I’m reading this debug log correctly and authentication is actually succeeding:

https://community.ubnt.com/t5/EdgeRouter/VPN-radius-authentication-incorrectly-failing/m-p/2584939#M230964

I did a quick web search to see if I could log the authentication response to the EdgeRouter, but didn’t find anything that was particularly clear.

Did the authentication response change from 2.2.10 to 3.0.17? I could presumably rebuild and reconfigure with a 2.X version to see if that would be more compatible with the EdgeRouter.

-Eric
Post by Eric Wittle
Dec 3 12:11:39 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 60074. Local: 33742, Remote: 28 (ref=0/0). LNS session is 'default'
Dec 3 12:11:39 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17357, Local: 45819, Remote: 7746, Serial: 1
Dec 3 12:11:39 ubnt pppd[17357]: pppd 2.4.4 started by root, uid 0
Dec 3 12:11:39 ubnt pppd[17357]: Connect: ppp0 <-->
Dec 3 12:11:42 ubnt pppd[17357]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received
Dec 3 12:11:43 ubnt pppd[17357]: Cannot determine ethernet address for proxy ARP
Dec 3 12:11:43 ubnt pppd[17357]: local IP address 10.255.255.0
Dec 3 12:11:43 ubnt pppd[17357]: remote IP address 192.168.6.100
Dec 3 12:12:23 ubnt pppd[17357]: Connection terminated: no multilink.
Dec 3 12:12:23 ubnt pppd[17357]: Modem hangup
Failed authentication with manually installed FreeRadius 3
Dec 3 12:13:03 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 49849. Local: 23776, Remote: 29 (ref=0/0). LNS session is 'default'
Dec 3 12:13:03 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 17610, Local: 11728, Remote: 7750, Serial: 1
Dec 3 12:13:03 ubnt pppd[17610]: pppd 2.4.4 started by root, uid 0
Dec 3 12:13:03 ubnt pppd[17610]: Connect: ppp0 <-->
Dec 3 12:13:06 ubnt pppd[17610]: Peer eric failed CHAP authentication
Dec 3 12:13:12 ubnt pppd[17610]: Connection terminated: no multilink.
Dec 3 12:13:12 ubnt pppd[17610]: Modem hangup
-Eric
Post by Eric Wittle
In case it helps, I’m including the packet-handling result from the OSX server bundled version that works, for the same user trying to authenticate. The bundled version is 2.2.10.
-Eric
rad_recv: Access-Request packet from host 192.168.1.1 port 60795, id=2, length=132
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "eric"
MS-CHAP-Challenge = 0x7773bea95387ac16365f5290c86a3bbc
MS-CHAP2-Response = 0x500058b7ad77e3cb4663ed328c1ca8bc8c5a00000000000000006a34bfaed3a90f2dc844d86da2b83d02f9f7a2c7dc8c5cf8
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 178
++[files] = ok
[opendirectory] The host 192.168.1.1 does not have an access group.
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: eric
[mschap] Client is using MS-CHAPv2 for eric, we need NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Doing OD MSCHAPv2 auth
[mschap] Successful authentication for eric
++[mschap] = ok
+} # group MS-CHAP = ok
Login OK: [eric/<via Auth-Type = MSCHAP>] (from client router.wittle.net <http://router.wittle.net/> port 0)
# Executing section post-auth from file /Library/Server/radius/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 2 to 192.168.1.1 port 60795
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-CHAP2-Success = 0x50533d35323342334444384141413539344246304330433030373546423534413133454445393738323530
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.1 port 40029, id=3, length=96
Acct-Session-Id = "5C0514303B2A00"
User-Name = "eric"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 192.168.6.100
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Acct-Delay-Time = 0
# Executing section preacct from file /Library/Server/radius/raddb/sites-enabled/default
+group preacct {
++[preprocess] = ok
[acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 127.0.1.1,Acct-Session-Id = "5C0514303B2A00",User-Name = "eric"'
[acct_unique] Acct-Unique-Session-ID = "2a99ab6a447c4184".
++[acct_unique] = ok
[suffix] No such realm "NULL"
++[suffix] = noop
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file /Library/Server/radius/raddb/sites-enabled/default
+group accounting {
[detail] expand: %{Packet-Src-IP-Address} -> 192.168.1.1
[detail] expand: /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /private/var/log/radius/radacct/192.168.1.1/detail-20181203
[detail] /private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /private/var/log/radius/radacct/192.168.1.1/detail-20181203
[detail] expand: %t -> Mon Dec 3 06:32:00 2018
++[detail] = ok
++[exec] = noop
[attr_filter.accounting_response] expand: %{User-Name} -> eric
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
+} # group accounting = updated
Sending Accounting-Response of id 3 to 192.168.1.1 port 40029
Finished request 1.
Cleaning up request 1 ID 3 with timestamp +23
Going to the next request
Waking up in 4.3 seconds.
Cleaning up request 0 ID 2 with timestamp +22
Ready to process requests.
Post by Eric Wittle
Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
-Eric
Post by Eric Wittle
Plus I believe there was a question of whether OpenDirectory logs anything useful. After a quick set of google searches, that is a good question. The closest I could find was a set of logs in the Apple Server log folder in the PasswordService directory.
The contents of ApplePasswordServer.Error.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Error.log
-- Start: Server rolled log on: Nov 13 2018 21:17:19 --
Dec 2 2018 14:52:47 819295us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:03:43 692394us Requested SASL mechanism not loaded: SMB-NT
Dec 2 2018 15:07:34 139111us Requested SASL mechanism not loaded: SMB-NT
The tail end of ApplePasswordServer.Server.Log
bash-3.2# tail -100 /Library/Logs/PasswordService/ApplePasswordServer.Server.log
Dec 2 2018 14:52:43 233320us Stopping server processes ...
Dec 2 2018 14:52:43 234062us Closing all incoming connections ...
Dec 2 2018 14:52:43 234097us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 14:52:43 234645us StopCentralThreads: Current Threads: 10
Dec 2 2018 14:52:43 234669us Stopping Network Processes ...
Dec 2 2018 14:52:43 234682us Deinitializing networking ...
Dec 2 2018 14:52:43 234701us Server Processes Stopped ...
Dec 2 2018 14:52:43 234718us RunAppThread Stopped
Dec 2 2018 14:52:43 234747us RunAppThread Deleted
Dec 2 2018 14:52:47 755661us Mac OS X Password Service version 424 (pid = 37915) was started at: Sun Dec 2 14:52:47 2018
.
Dec 2 2018 14:52:47 755702us RunAppThread Created
Dec 2 2018 14:52:47 755746us RunAppThread Started
Dec 2 2018 14:52:47 755760us Initializing Server Globals ...
Dec 2 2018 14:52:47 768754us Initializing Networking ...
Dec 2 2018 14:52:47 768819us Initializing TCP ...
Dec 2 2018 14:52:47 819245us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 14:52:47 824367us Starting Central Thread ...
Dec 2 2018 14:52:47 824401us Starting other server processes ...
Dec 2 2018 14:52:47 824412us StartCentralThreads: 1 threads to stop
Dec 2 2018 14:52:47 824451us Initializing TCP ...
Dec 2 2018 14:52:47 824580us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 14:52:47 824630us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 14:52:47 824723us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 14:52:47 824762us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 14:52:47 824800us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 14:52:47 824820us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 14:52:47 825558us Finished starting other server processes ...
Dec 2 2018 14:52:47 825582us -- Password Server successfully started --
Dec 2 2018 14:52:47 825592us -- Start time: 0 sec, 74 msec --
Dec 2 2018 15:03:32 701865us Stopping server processes ...
Dec 2 2018 15:03:32 702676us Closing all incoming connections ...
Dec 2 2018 15:03:32 702706us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:03:32 703903us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:03:32 703930us Stopping Network Processes ...
Dec 2 2018 15:03:32 703944us Deinitializing networking ...
Dec 2 2018 15:03:32 703960us Server Processes Stopped ...
Dec 2 2018 15:03:32 703977us RunAppThread Stopped
Dec 2 2018 15:03:32 703989us RunAppThread Deleted
Dec 2 2018 15:03:33 705899us Mac OS X Password Service (pid = 37915) was shut down at: Sun Dec 2 15:03:33 2018
.
Dec 2 2018 15:03:43 644217us Mac OS X Password Service version 424 (pid = 38843) was started at: Sun Dec 2 15:03:43 2018
.
Dec 2 2018 15:03:43 644253us RunAppThread Created
Dec 2 2018 15:03:43 644295us RunAppThread Started
Dec 2 2018 15:03:43 644316us Initializing Server Globals ...
Dec 2 2018 15:03:43 677609us Initializing Networking ...
Dec 2 2018 15:03:43 677736us Initializing TCP ...
Dec 2 2018 15:03:43 692357us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 15:03:43 692877us Starting Central Thread ...
Dec 2 2018 15:03:43 692895us Starting other server processes ...
Dec 2 2018 15:03:43 692905us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:03:43 692938us Initializing TCP ...
Dec 2 2018 15:03:43 693040us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:03:43 693082us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:03:43 693110us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:03:43 693133us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:03:43 693156us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:03:43 693167us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:03:43 694190us Finished starting other server processes ...
Dec 2 2018 15:03:43 694212us -- Password Server successfully started --
Dec 2 2018 15:03:43 694222us -- Start time: 0 sec, 54 msec --
Dec 2 2018 15:05:24 289083us Stopping server processes ...
Dec 2 2018 15:05:24 289128us Closing all incoming connections ...
Dec 2 2018 15:05:24 289150us StopCentralThreads: Stopping Connection Listeners ...
Dec 2 2018 15:05:24 290059us StopCentralThreads: Current Threads: 3
Dec 2 2018 15:05:24 290086us Stopping Network Processes ...
Dec 2 2018 15:05:24 290098us Deinitializing networking ...
Dec 2 2018 15:05:24 290113us Server Processes Stopped ...
Dec 2 2018 15:05:24 290129us RunAppThread Stopped
Dec 2 2018 15:05:24 290142us RunAppThread Deleted
Dec 2 2018 15:05:26 221197us Mac OS X Password Service (pid = 38843) was shut down at: Sun Dec 2 15:05:26 2018
.
Dec 2 2018 15:07:34 103685us Mac OS X Password Service version 424 (pid = 39140) was started at: Sun Dec 2 15:07:34 2018
.
Dec 2 2018 15:07:34 103718us RunAppThread Created
Dec 2 2018 15:07:34 103758us RunAppThread Started
Dec 2 2018 15:07:34 103779us Initializing Server Globals ...
Dec 2 2018 15:07:34 118899us Initializing Networking ...
Dec 2 2018 15:07:34 118961us Initializing TCP ...
Dec 2 2018 15:07:34 139076us SASL is using realm "MAIL.WITTLE.NET <http://mail.wittle.net/>"
Dec 2 2018 15:07:34 139134us Starting Central Thread ...
Dec 2 2018 15:07:34 139141us Starting other server processes ...
Dec 2 2018 15:07:34 139147us StartCentralThreads: 1 threads to stop
Dec 2 2018 15:07:34 139174us Initializing TCP ...
Dec 2 2018 15:07:34 139265us Starting TCP/IP Listener on ethernet interface, port 106
Dec 2 2018 15:07:34 139302us Starting TCP/IP Listener on ethernet interface, port 3659
Dec 2 2018 15:07:34 139322us Starting TCP/IP Listener on interface lo0, port 106
Dec 2 2018 15:07:34 139350us Starting TCP/IP Listener on interface lo0, port 3659
Dec 2 2018 15:07:34 139443us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Dec 2 2018 15:07:34 139462us Starting UNIX domain socket listener /var/run/passwordserver
Dec 2 2018 15:07:34 140156us Finished starting other server processes ...
Dec 2 2018 15:07:34 140178us -- Password Server successfully started --
Dec 2 2018 15:07:34 140190us -- Start time: 0 sec, 41 msec --
Dec 2 2018 20:01:57 945387us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:35:44 395239us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:17 158109us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 20:37:43 63472us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:17:05 402081us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
Dec 2 2018 21:37:24 961075us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
It is interesting in the above logs to see that the ApplePasswordServer is starting and stopping. Since I’m starting the OS X Server built-in freeradius instance with “radiusconfig -start”, and stoping it with “radiusconfig -stop”, I’m now wondering if the password server isn’t running when I start the version of FreeRADIUS I’m trying to install manually outside of OS X server.
I’ll take a look and see if radiusconfig is a script…
-Eric
Post by Eric Wittle
Pasted this time…
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com <http://example.com/> {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = opendirectory
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
use_open_directory = yes
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_opendirectory
# Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_sqlite"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
Creating attribute SQL-Group
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.key"
certificate_file = "/usr/local/etc/raddb/certs/server.crt"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/ <http://127.0.0.1/ocsp/>"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_sqlite: libsqlite version: 3.19.3
sqlite {
filename = "/var/db/radius/freeradius.db"
busy_timeout = 200
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.1.1 (router.wittle.net <http://router.wittle.net/>) to global clients list
rlm_sql (192.168.1.1): Client "router.wittle.net <http://router.wittle.net/>" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 59453
Listening on proxy address :: port 59454
Ready to process requests
(0) Received Access-Request Id 0 from 192.168.1.1:57936 to 192.168.1.2:1812 length 132
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "eric"
(0) MS-CHAP-Challenge = 0xa44a52e59a4f962b746b666bbe7f01d0
(0) MS-CHAP2-Response = 0x21009c4d4f0f11d45c28c3329de6c537a41c00000000000000005bdc768d4b3a1dddcc032970b9a466c01f8b9380857fb562
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0) [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
ffffffa44a52ffffffe5ffffff9a4fffffff962b746b666bffffffbe7f01ffffffd0
ffffff9c4d4f0f11ffffffd45c28ffffffc332ffffff9dffffffe6ffffffc537ffffffa41c
5bffffffdc76ffffff8d4b3a1dffffffddffffffcc032970ffffffb9ffffffa466ffffffc01fffffff8bffffff93ffffff80ffffff857fffffffb562
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-02 21:37:24')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 0 from 192.168.1.2:1812 to 192.168.1.1:57936 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +27
Ready to process requests
I’m working to migrate off of the built-in FreeRADIUS server that is being removed from OS X Server. I have a working configuration using the built-in version. However, after following the instructions that are part of the OS X Server migration guide (https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>, pages 12-16), authentication fails.
I see an error: “Sun Dec 2 21:18:34 2018 : ERROR: (2) mschap: ERROR: (null): status = eServerError” in the radius.log file.
Following the instructions on the user list, I captured the attached debug file. Any help would be appreciated, because I’m a bit lost.
Thanks in advance.
-Eric
<debugfile>
-
List info/subscribe/unsubscrib
Eric Wittle
2018-12-04 03:08:26 UTC
Permalink
OK, I cut out the history on this thread, because I think I’ve narrowed it down. I enabled detail reply logging on both the 2.2.10 install that is working, and the 3.0.17 one that is not. The first response below is from 3.0.17, and the VPN software logs that as a CHAP authentication failure. The second response below is from the 2.2.10 version. I’m guessing at this point (but I have a forum post open on Ubiquiti to confirm) that the missing MS-CHAP2-Success value is the problem.

Mon Dec 3 21:44:12 2018
Packet-Type = Access-Accept
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Timestamp = 1543891452

Mon Dec 3 21:56:04 2018
Packet-Type = Access-Accept
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-CHAP2-Success = 0x31533d31413533414644303142413034324443374639313444384245423634373131433634363642463830

Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value?

Thanks,

-Eric





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/us
Eric Wittle
2018-12-04 03:51:42 UTC
Permalink
And making some progress. In the sites-enabled/default file, added the following to the post-auth section:

# ELW - Attempting to add the missing attribute I need
update reply {
MS-CHAP2-Success := "%{MS-CHAP2-Response}"
}

Now reply detail looks like:

Mon Dec 3 22:41:33 2018
Packet-Type = Access-Accept
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-CHAP2-Success = 0x9d0043abe40ba2b954250b42c69a1409c1c100000000000000003f4600c8a3b9759e82a9a982364d69b51d2cf6c260d33db5
Timestamp = 1543894893

And the messages file on the EdgeRouter says the following for an authentication request:

Dec 4 03:41:30 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 55099. Local: 60667, Remote: 47 (ref=0/0). LNS session is 'default'
Dec 4 03:41:30 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 7504, Local: 28750, Remote: 8210, Serial: 1
Dec 4 03:41:30 ubnt pppd[7504]: pppd 2.4.4 started by root, uid 0
Dec 4 03:41:30 ubnt pppd[7504]: Connect: ppp0 <-->
Dec 4 03:41:33 ubnt pppd[7504]: RADIUS: bad MS-CHAP2-Success packet
Dec 4 03:41:33 ubnt pppd[7504]: Peer eric failed CHAP authentication
Dec 4 03:41:39 ubnt pppd[7504]: Connection terminated: no multilink.
Dec 4 03:41:39 ubnt pppd[7504]: Modem hangup

So it is clearly looking at the MS-CHAP2-Success attribute, but I’m not getting the right value for this. Any idea where I would get this from?

I’ve tried to walk through the 2.2.10 configuration looking for where this comes from, with no luck.

-Eric
Post by Eric Wittle
OK, I cut out the history on this thread, because I think I’ve narrowed it down. I enabled detail reply logging on both the 2.2.10 install that is working, and the 3.0.17 one that is not. The first response below is from 3.0.17, and the VPN software logs that as a CHAP authentication failure. The second response below is from the 2.2.10 version. I’m guessing at this point (but I have a forum post open on Ubiquiti to confirm) that the missing MS-CHAP2-Success value is the problem.
Mon Dec 3 21:44:12 2018
Packet-Type = Access-Accept
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Timestamp = 1543891452
Mon Dec 3 21:56:04 2018
Packet-Type = Access-Accept
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-CHAP2-Success = 0x31533d31413533414644303142413034324443374639313444384245423634373131433634363642463830
Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value?
Thanks,
-Eric
-
List info/subscribe/unsubscribe? See http://w
Alan DeKok
2018-12-04 12:35:33 UTC
Permalink
Post by Eric Wittle
# ELW - Attempting to add the missing attribute I need
update reply {
MS-CHAP2-Success := "%{MS-CHAP2-Response}"
}
Don't do that. You can't just invent things and expect them to work.
Post by Eric Wittle
Mon Dec 3 22:41:33 2018
Packet-Type = Access-Accept
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-CHAP2-Success = 0x9d0043abe40ba2b954250b42c69a1409c1c100000000000000003f4600c8a3b9759e82a9a982364d69b51d2cf6c260d33db5
Timestamp = 1543894893
And don't look at that, either. All of the documentation, etc. says to look at the debug output.
Post by Eric Wittle
Dec 4 03:41:30 ubnt xl2tpd[16434]: Connection established to 166.177.185.119, 55099. Local: 60667, Remote: 47 (ref=0/0). LNS session is 'default'
Dec 4 03:41:30 ubnt xl2tpd[16434]: Call established with 166.177.185.119, PID: 7504, Local: 28750, Remote: 8210, Serial: 1
Dec 4 03:41:30 ubnt pppd[7504]: pppd 2.4.4 started by root, uid 0
Dec 4 03:41:30 ubnt pppd[7504]: Connect: ppp0 <-->
Dec 4 03:41:33 ubnt pppd[7504]: RADIUS: bad MS-CHAP2-Success packet
Dec 4 03:41:33 ubnt pppd[7504]: Peer eric failed CHAP authentication
Dec 4 03:41:39 ubnt pppd[7504]: Connection terminated: no multilink.
Dec 4 03:41:39 ubnt pppd[7504]: Modem hangup
And don't look at that, either. If FreeRADIUS isn't configured correctly, then it won't help to look at the NAS logs.
Post by Eric Wittle
So it is clearly looking at the MS-CHAP2-Success attribute, but I’m not getting the right value for this. Any idea where I would get this from?
You get it from a successful authentication. The MSCHAP module calculates it automatically.

The short summary is to try to get this working:

a) without using OpenDirectory, but using a static / test password

b) with OpenDirectory, but using radtest to send MS-CHAP packets.

i.e. skip the NAS entirely. Just use RADIUS test tools, and look at the RADIUS debug messages.

Maybe there's a problem with the OpenDirectory integration in v3. I don't think so, because others use it, and Apple has instructions for using it. So it should work.

Alan DeKok.


-
List info/subscribe/u
Adam Bishop
2018-12-04 12:37:34 UTC
Permalink
Post by Eric Wittle
MS-CHAP2-Success := "%{MS-CHAP2-Response}"
You've put an authentication failure into the success attribute. You can't change a failure into a success just by declaring it to be so.
Post by Eric Wittle
Post by Eric Wittle
Is there a way to configure 3.0.17 to send the MS-CHAP2-Success value?
Have your authentication succeed. It's sent automatically.

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/use
Paul Thornton
2018-12-04 12:43:05 UTC
Permalink
Post by Adam Bishop
You've put an authentication failure into the success attribute. You can't change a failure into a success just by declaring it to be so.
Oh I don't know - just ask a politician for advice, they're experts at
things like that :)

[With apologies for the totally off-topic response]

Paul.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
Eric Wittle
2018-12-05 01:38:15 UTC
Permalink
Post by Alan DeKok
a) without using OpenDirectory, but using a static / test password
If you look at the “Appendix A” section below, you’ll see the debug output (just the packet part, I skipped the config dump, since I’ve sent it already earlier in this thread). It sure looks to me like a successful authentication against OpenDirectory, because of the following at the end:

“(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
(1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0”

Despite that success, the VPN still reports authentication failure. If my install and configuration is already successfully authenticating against OpenDirectory based on the debug output, what would I learn by running a test without OpenDirectory? I thought it a natural next step to look at what successful output meant from this configuration, and whether it was different than successful output from the prior version, which is accepted by the VPN client. I’m not sure why you disagree.
Post by Alan DeKok
b) with OpenDirectory, but using radtest to send MS-CHAP packets.
i.e. skip the NAS entirely. Just use RADIUS test tools, and look at the RADIUS debug messages.
OK, I thought I’d try that, since you suggested it, but again I’m not sure what that is supposed to tell me if the debug output of running with an actual request from the VPN is returning a success code. So I tried it. Here’s the command I used:

/usr/local/bin/radtest -x -t chap eric <password> 127.0.0.1 0 <secret> 1 192.168.1.1

The server debug output showed a failure, but it was because of allegedly a secret mismatch. Here’s the output from the server in debug mode:

"rad_recv: Access-Request packet from host 127.0.0.1 port 64369, id=137, length=81
Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response.”

I thought that was odd, because I’m not seeing anything about secret mismatches when I’m using the actual VPN client. So I fired up the 2.2.10 radius install that is working, and it fails the same way with a secret mismatch. Furthermore, because part of the Apple instructions for migrating from their version to the one they recommend people install from OpenSource includes steps to dump the clients data from the existing database and import it into the new database, I still have the tmp file that is generated as part of that process. Here’s the single line from my one client:

1,192.168.1.1,router.wittle.net,other,,<secret>,,

And yes, the <secret> value in the temp file is the same as the secret value I provided to radtest.
Post by Alan DeKok
Maybe there's a problem with the OpenDirectory integration in v3. I don't think so, because others use it, and Apple has instructions for using it. So it should work.
I’m not clear that anyone who uses Apple Server is using FreeRADIUS 3.0. As far as I know, I’m running the most recent version of Apple Server that doesn’t remove support for FreeRADIUS entirely, and that is running FreeRADIUS 2.2.10. You might want to read Apple’s instructions for how to install FreeRADIUS 3.0 in their migration guide for migrating services to OpenSource that they published because they’ve removed most of the components of Apple Server in the versions that shipped this fall. If you do, you’ll see at least two egregious errors in their installation instructions. The first is in how to set configuration options for talloc; they specify a configuration command with an argument of “-without-gettext”, which is an invalid argument; it has to be “—without-gettext”. The second, later, is instructions to change the ownership of the plist file with “chmod root:wheel”. If someone knows how to change ownership with chmod rather than chown, I’d be happy to see it. Since Apple can’t get the FreeRADIUS instructions for building correct, and they’re on version 1.2 of the migration guide without correcting them, I’m not sure I’d assume there are a bunch of FreeRADIUS OpenDirectory installations out there. Given that they have two egregious errors in the build instructions, my confidence in their configuration instructions being completely accurate is low. I’m pretty sure their instructions state to uncomment a specific line in an entire section that ships commented out, for example. That last one is from memory, I haven’t gone back and confirmed. But I will when I finally get this working. Once it is working, I’ll file a bug with Apple so that hopefully they can update the migration guide, and someone else can benefit from the large amount of time I’ve spent on this, and whatever help I end up getting from this list.

-Eric

Appendix A - Appears to be debug output from a successful authentication
========================================================

Ready to process requests
(1) Received Access-Request Id 45 from 192.168.1.1:59532 to 192.168.1.2:1812 length 132
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) User-Name = "eric"
(1) MS-CHAP-Challenge = 0x2a053a73fcd64ba4fafc59d5e78ab6d5
(1) MS-CHAP2-Response = 0xa300f17177f7f822865736049dcf49eaf81600000000000000007ffbd34e0a6706395266205ea76afcc927029837596e9dcf
(1) NAS-IP-Address = 127.0.1.1
(1) NAS-Port = 0
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(1) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(1) auth_log: EXPAND %t
(1) auth_log: --> Tue Dec 4 07:54:15 2018
(1) [auth_log] = ok
(1) [chap] = noop
(1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(1) [mschap] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "eric", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAULT at line 181
(1) [files] = ok
(1) opendirectory: The host 192.168.1.1 does not have an access group.
(1) [opendirectory] = ok
(1) sql: EXPAND %{User-Name}
(1) sql: --> eric
(1) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (3)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (3)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(1) [sql] = notfound
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1) [pap] = noop
(1) } # authorize = ok
(1) Found Auth-Type = mschap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(1) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(1) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(1) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
(1) mschap: Stepbuf server challenge :
2a053a73fffffffcffffffd64bffffffa4fffffffafffffffc59ffffffd5ffffffe7ffffff8affffffb6ffffffd5
(1) mschap: Stepbuf peer challenge :
fffffff17177fffffff7fffffff822ffffff86573604ffffff9dffffffcf49ffffffeafffffff816
(1) mschap: Stepbuf p24 :
7ffffffffbffffffd34e0a6706395266205effffffa76afffffffcffffffc92702ffffff9837596effffff9dffffffcf
(1) [mschap] = ok
(1) } # authenticate = ok
(1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(1) post-auth {
(1) update {
(1) No attributes updated
(1) } # update = noop
(1) reply_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(1) reply_log: --> /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(1) reply_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(1) reply_log: EXPAND %t
(1) reply_log: --> Tue Dec 4 07:54:15 2018
(1) [reply_log] = ok
(1) sql: EXPAND .query
(1) sql: --> .query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(1) sql: EXPAND %{User-Name}
(1) sql: --> eric
(1) sql: SQL-User-Name set to 'eric'
(1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(1) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 07:54:15')
(1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 07:54:15')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(1) [sql] = ok
(1) [exec] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # post-auth = ok
(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
(1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0
(1) Framed-Protocol = PPP
(1) Framed-Compression = Van-Jacobson-TCP-IP
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 45 with timestamp +47
Ready to process requests

-
List info/subscribe/unsubsc
Alan DeKok
2018-12-05 02:14:24 UTC
Permalink
Post by Eric Wittle
“(1) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
(1) Sent Access-Accept Id 45 from 192.168.1.2:1812 to 192.168.1.1:59532 length 0”
That's not good enough. As you noted earlier, the reply also needs an MS-CHAP-Challenge. Which it doesn't have.

So... if you read the debug output, is there an MS-CHAP-Challenge?
Post by Eric Wittle
Despite that success, the VPN still reports authentication failure. If my install and configuration is already successfully authenticating against OpenDirectory based on the debug output, what would I learn by running a test without OpenDirectory?
You would be able to track down exactly where the problem is.

Right now, you have: (a) FreeRADIUS config, (b) correct password, (c) MS-CHAP authentication, (d) OpenDirectory, and (e) the NAS / VPN concentrator.

Where is the problem? You don't know. The usual process to solve a complex problem is to make the problem simpler. Eventually you narrow the problem down to just one thing. Which is then either misconfigured, or misbehaving.

You *cannot* look at just the Access-Accept, and say "well, it's all fine!". You already know that the VPN is complaining about no MS-CHAP-Challenge. And if you read the debug output, you know FreeRADIUS isn't sending one. Which is should.

So... maybe the issue os OpenDirectory, or the FreeRADIUS to OpenDirectory integration.
Post by Eric Wittle
I thought it a natural next step to look at what successful output meant from this configuration, and whether it was different than successful output from the prior version, which is accepted by the VPN client. I’m not sure why you disagree.
I don't disagree. But you're doing the classic flailing around, without really understanding the problem, or narrowing it down:

- looking at the detail file logs, not the debug logs
- looking at the VPN logs
- etc.

Don't try a bunch of unrelated / useless things. Read the debug log. Narrow down the problem.
Post by Eric Wittle
Post by Alan DeKok
b) with OpenDirectory, but using radtest to send MS-CHAP packets.
i.e. skip the NAS entirely. Just use RADIUS test tools, and look at the RADIUS debug messages.
/usr/local/bin/radtest -x -t chap eric <password> 127.0.0.1 0 <secret> 1 192.168.1.1
At this point I'm going to have to ask that you start paying attention. Running a test with CHAP is *not* the same thing as running a test with MS-CHAP. They're different.

And radtest *can* use MS-CHAP. The "radtest -h" output shows this.
Post by Eric Wittle
"rad_recv: Access-Request packet from host 127.0.0.1 port 64369, id=137, length=81
Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response.”
Yes, that's a shared secret error.
Post by Eric Wittle
I thought that was odd, because I’m not seeing anything about secret mismatches when I’m using the actual VPN client.
Because it's coming from a different IP address. Note that if you READ the debug output, it shows that the packet is received from 127.0.0.1. And not 192.168.1.1.

AND if you read the "radtest -h" output, you will see that you supplied 127.0.0.1 as the server IP, and 192.168.1.1 as at the "nasname". i.e. NOT the source IP address of the packet.
Post by Eric Wittle
So I fired up the 2.2.10 radius install that is working, and it fails the same way with a secret mismatch.
Because 127.0.0.1 != 192.168.1.1.

This should be fairly straightforward. If you want to send packets FROM 192.168.1.1, then you must send packets FROM that IP.

If you send packets FROM 127.0.0.1, then you must use the shared secret for 127.0.0.1. See the "clients.conf" file, and look for the client that defines 127.0.0.1. When sending packets using "radtest" from localhost, use the shared secret from THAT, and not the shared secret for 192.168.1.1.
Post by Eric Wittle
1,192.168.1.1,router.wittle.net,other,,<secret>,,
And yes, the <secret> value in the temp file is the same as the secret value I provided to radtest.
Which is the wrong shared secret.

You are going over the same thing repeatedly, without paying attention to how things work. Please take a step back and pay attention.
Post by Eric Wittle
Post by Alan DeKok
Maybe there's a problem with the OpenDirectory integration in v3. I don't think so, because others use it, and Apple has instructions for using it. So it should work.
I’m not clear that anyone who uses Apple Server is using FreeRADIUS 3.0. As far as I know, I’m running the most recent version of Apple Server that doesn’t remove support for FreeRADIUS entirely, and that is running FreeRADIUS 2.2.10. You might want to read Apple’s instructions for how to install FreeRADIUS 3.0 in their migration guide for migrating services to OpenSource that they published because they’ve removed most of the components of Apple Server in the versions that shipped this fall. If you do, you’ll see at least two egregious errors in their installation instructions. The first is in how to set configuration options for talloc; they specify a configuration command with an argument of “-without-gettext”, which is an invalid argument; it has to be “—without-gettext”. The second, later, is instructions to change the ownership of the plist file with “chmod root:wheel”. If someone knows how to change ownership with chmod rather than chown, I’d be happy to see it.
Those are both typos, and fairly straightforward ones. They're not errors which *break* things.
Post by Eric Wittle
Since Apple can’t get the FreeRADIUS instructions for building correct, and they’re on version 1.2 of the migration guide without correcting them, I’m not sure I’d assume there are a bunch of FreeRADIUS OpenDirectory installations out there. Given that they have two egregious errors in the build instructions, my confidence in their configuration instructions being completely accurate is low. I’m pretty sure their instructions state to uncomment a specific line in an entire section that ships commented out, for example. That last one is from memory, I haven’t gone back and confirmed. But I will when I finally get this working. Once it is working, I’ll file a bug with Apple so that hopefully they can update the migration guide, and someone else can benefit from the large amount of time I’ve spent on this, and whatever help I end up getting from this list.
I've been trying to help you. So far it's not been easy. You're working *really* hard at doing the wrong thing. Take a step back.
Post by Eric Wittle
Appendix A - Appears to be debug output from a successful authentication
========================================================
And as was noted in earlier messages, it's missing an MS-CHAP-Success attribute in the reply.

You can't just post the same thing over and over, expecting that it will magically solve the problem. It won't.

Read this message a few times. Take a step back, and *change your approach*. Do one thing. If it doesn't work, ask a question. If it works, do another thing.

Break the problem down into pieces. Don't post messages where you try multiple things, and then waste time discovering "bugs", because you got something wrong. It's frustrating for you, and for us.

The problem shouldn't be that difficult to track down and/or fix. But if you waste hours looking at the *wrong shared secret*, those are hours you could have spent more productively.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.fr
Eric Wittle
2018-12-05 03:16:16 UTC
Permalink
And now I’ll resume the path I was originally on.

The problem that is causing my VPN to fail authentication, from comparing the responses outside of debugging, is that 3.0.17 is not returning MS-CHAP2-Success. If we look at opendir.c in rlm_mschap, we see the following code:

if (status == eDSNoErr) {
RDEBUG2("ELW: status == eDSNoErr\n");
if (pStepBuff->fBufferLength > 4) {
RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
size_t len;

memcpy(&len, pStepBuff->fBufferData, sizeof(len));
if (len == 40) {
RDEBUG2("ELW: len == 40\n");
char mschap_reply[42] = { '\0' };
pStepBuff->fBufferData[len+4] = '\0';
mschap_reply[0] = 'S';
mschap_reply[1] = '=';
memcpy(&(mschap_reply[2]), &(pStepBuff->fBufferData[4]), len);
mschap_add_reply(request, &request->reply->vps,
*response->vp_strvalue,
"MS-CHAP2-Success",
mschap_reply, len+2);
RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%zu)\n", mschap_reply, len);
} else {
RDEBUG2("ELW: len == %zu\n", len);
}
}
}

You may notice a few extra lines I added for debugging purposes (text strings with ELW in them). This code seems pretty clearly where MS-CHAP2-Success is supposed to be added to the reply. Below, in the section headed Appendix A, you see the debug output from 3.0.17 with the additional debugging added. It clearly shows that the test “len == 40” is failing during successful authentication, and therefore the MS-CHAP2-Success value is not being added to the reply.

It has been many decades since I did C programming, so this exhausts my ability to debug the problem without digging out my Kernighan & Ritchie, assuming I could find it.

I’ve seen text in various comments that the open directory configuration is owned by Apple, should I assume that opendir.c is owned by them as well? If so, I’ll file a bug with them, and drop back to 2.2.10.

Appendix A
=========

Ready to process requests
(0) Received Access-Request Id 49 from 192.168.1.1:50192 to 192.168.1.2:1812 length 132
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "eric"
(0) MS-CHAP-Challenge = 0x2865983ecdee941a08a635417c19deb5
(0) MS-CHAP2-Response = 0x410010c7856c01bf71f1230a236ccd8a535a000000000000000008c485f49f713bcefda1a071a0df4565e3fd316e9c5aa40e
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181204
(0) auth_log: EXPAND %t
(0) auth_log: --> Tue Dec 4 21:59:38 2018
(0) [auth_log] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "eric", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0) [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 136 seconds
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 136 seconds
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 136 seconds
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 136 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 136 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 136 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_sqlite: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Reserved connection (6)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (6)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
(0) mschap: Stepbuf server challenge :
2865ffffff983effffffcdffffffeeffffff941a08ffffffa635417c19ffffffdeffffffb5
(0) mschap: Stepbuf peer challenge :
10ffffffc7ffffff856c01ffffffbf71fffffff1230a236cffffffcdffffff8a535a
(0) mschap: Stepbuf p24 :
08ffffffc4ffffff85fffffff4ffffff9f713bffffffcefffffffdffffffa1ffffffa071ffffffa0ffffffdf4565ffffffe3fffffffd316effffff9c5affffffa40e
(0) mschap: ELW: status == eDSNoErr
(0) mschap: ELW: pStepBuff->fBufferLength > 4
(0) mschap: ELW: len == 3978992058181353512
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) reply_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log: --> /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(0) reply_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/reply-detail-20181204
(0) reply_log: EXPAND %t
(0) reply_log: --> Tue Dec 4 21:59:38 2018
(0) [reply_log] = ok
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 21:59:38')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'eric', '', 'Access-Accept', '2018-12-04 21:59:38')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (6)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Login OK: [eric/<via Auth-Type = mschap>] (from client router.wittle.net port 0)
(0) Sent Access-Accept Id 49 from 192.168.1.2:1812 to 192.168.1.1:50192 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 49 with timestamp +136
Ready to process requests
-
List info/subscribe/unsubscribe? See http://www.fr
Matthew Newton
2018-12-05 10:35:59 UTC
Permalink
Post by Eric Wittle
if (pStepBuff->fBufferLength > 4) {
RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
size_t len;
I suspect changing that from uint32_t to size_t has had the unintended
consequences of making it a 64-bit integer on your platform, which
breaks the (len == 40) comparison.

Try changing "size_t len" to "uint32_t len" and see if that fixes it.
Post by Eric Wittle
(0) mschap: ELW: len == 3978992058181353512
The lower 32 bits of this value are "40"... the rest is junk.
--
Matthew

-
List info/subscribe/unsubscribe? See ht
Alan DeKok
2018-12-05 14:01:05 UTC
Permalink
Post by Matthew Newton
I suspect changing that from uint32_t to size_t has had the unintended
consequences of making it a 64-bit integer on your platform, which
breaks the (len == 40) comparison.
Try changing "size_t len" to "uint32_t len" and see if that fixes it.
I've pushed a fix to the v3.0.x branch. The change to "size_t" was a mis-guided attempt to fix string printing issues.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://ww
Eric Wittle
2018-12-05 13:36:55 UTC
Permalink
Responding to Matthew (I subscribed with digest enabled, so replying to specific emails is a challenge. Mistake on my part).

Revised section of code is:

if (status == eDSNoErr) {
RDEBUG2("ELW: status == eDSNoErr\n");
if (pStepBuff->fBufferLength > 4) {
RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
uint32_t len;

memcpy(&len, pStepBuff->fBufferData, sizeof(len));
RDEBUG2("ELW: sizeof(len) = %lu\n", sizeof(len));
RDEBUG2("ELW: value of len is %lu\n", len);
if (len == 40) {
RDEBUG2("ELW: Inside len == 40\n");
char mschap_reply[42] = { '\0' };
pStepBuff->fBufferData[len+4] = '\0';
mschap_reply[0] = 'S';
mschap_reply[1] = '=';
memcpy(&(mschap_reply[2]), &(pStepBuff->fBufferData[4]), len);
RDEBUG2("About to mschap_add_reply with %s\n", mschap_reply);
mschap_add_reply(request, &request->reply->vps,
*response->vp_strvalue,
"MS-CHAP2-Success",
mschap_reply, len+2);
RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%zu)\n", mschap_reply, len);

That gets me a bit farther (inside the len == 40 check), but then I get a seg fault in the call to mschap_add_reply:

Ready to process requests
(0) Received Access-Request Id 62 from 192.168.1.1:44978 to 192.168.1.2:1812 length 132
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "eric"
(0) MS-CHAP-Challenge = 0x574ca5b59a8e344553b717024fa20962
(0) MS-CHAP2-Response = 0x3b0091c88b94ecc81c10752a252fd386ca2b0000000000000000a394fdc9ca017ded44b770f4d01a535f3fe7fee7a1f6df4c
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 0
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/radius/radacct/192.168.1.1/auth-detail-20181205
(0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/auth-detail-20181205
(0) auth_log: EXPAND %t
(0) auth_log: --> Wed Dec 5 08:30:37 2018
(0) [auth_log] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "eric", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) opendirectory: The host 192.168.1.1 does not have an access group.
(0) [opendirectory] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> eric
(0) sql: SQL-User-Name set to 'eric'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'eric' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'eric' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(0) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(0) mschap: OD username_string = eric, OD shortUserName=eric (length = 4)
(0) mschap: Stepbuf server challenge :
574cffffffa5ffffffb5ffffff9affffff8e344553ffffffb717024fffffffa20962
(0) mschap: Stepbuf peer challenge :
ffffff91ffffffc8ffffff8bffffff94ffffffecffffffc81c10752a252fffffffd3ffffff86ffffffca2b
(0) mschap: Stepbuf p24 :
ffffffa3ffffff94fffffffdffffffc9ffffffca017dffffffed44ffffffb770fffffff4ffffffd01a535f3fffffffe7fffffffeffffffe7ffffffa1fffffff6ffffffdf4c
(0) mschap: ELW: status == eDSNoErr
(0) mschap: ELW: pStepBuff->fBufferLength > 4
(0) mschap: ELW: sizeof(len) = 4
(0) mschap: ELW: value of len is 40
(0) mschap: ELW: Inside len == 40
(0) mschap: About to mschap_add_reply with S=B523E9A9A2F00BF04246DD46E1C3BDC1E7F0CA3F????
Segmentation fault: 11
Post by Eric Wittle
if (pStepBuff->fBufferLength > 4) {
RDEBUG2("ELW: pStepBuff->fBufferLength > 4\n");
size_t len;
I suspect changing that from uint32_t to size_t has had the unintended
consequences of making it a 64-bit integer on your platform, which
breaks the (len == 40) comparison.

Try changing "size_t len" to "uint32_t len" and see if that fixes it.
Post by Eric Wittle
(0) mschap: ELW: len == 3978992058181353512
The lower 32 bits of this value are "40"... the rest is junk.
--
Matthew

-
List info/subscribe/unsubscribe? See
Matthew Newton
2018-12-05 13:58:54 UTC
Permalink
Post by Eric Wittle
Responding to Matthew (I subscribed with digest enabled, so replying
to specific emails is a challenge. Mistake on my part).
RDEBUG2("dsDoDirNodeAuth returns
stepbuff: %s (len=%zu)\n", mschap_reply, len);
(or change the %zu to %ld)

That's the only other line of code in that section that has changed in
~10 years. I can't imagine telling it to print 64 bits when there are
only 32 is going to always end well.

The segfault happens somewherer after your RDEBUG line. Not necessarily
on the very next line, though.
--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/us
Eric Wittle
2018-12-05 23:21:23 UTC
Permalink
Responding to Matthew & Alan.

I manually repeated the changes Alan checked in to opendir.c. Unfortunately, I still got a segfault after those changes. I’ve done some debugging since, and now have a successfully authenticating VPN with the modified code (yeah)!

The segmentation fault was because the method signature for mschap_add_reply in opendir.c didn’t match the actual method in rlm_mschap.c. I changed the signature definition at the top to remove the ValuePair parameter; it seemed to match the current definition in rlm_mschap.c more correctly that way:

/* void mschap_add_reply(REQUEST *request, VALUE_PAIR** vp, unsigned char ident,
char const* name, char const* value, int len); */
void mschap_add_reply(REQUEST *request, unsigned char ident,
char const* name, char const* value, int len);

and the method call for MS-CHAP2-Success:

mschap_add_reply(request, /* &request->reply->vps, */
*response->vp_strvalue,
"MS-CHAP2-Success",
mschap_reply, len + 2);

As I mentioned, VPN authentication is now working with these modifications. If these are not the most correct way to solve the problem, please let me know. I’m also willing to build from a pull when you have a final change as a validation if you’d like.

I’m planning on filing an issue with Apple on their documentation for migrating from Apple Server to the 3.0 version of FreeRADIUS. I’m honestly curious if either of you think that open directory authentication with 3.0 could work in any cases? It seems to me like they never tested their instructions, but I admit I’m generalizing from one single use case (router authentication). As you can probably tell from some of my early e-mails, my ignorance about FreeRADIUS was quite high when I first engaged with this group, and I simply don’t know if there would be use cases where the missing MS-CHAP2-Success would not cause problems.

Lastly, when I file the issue with apple, would you be comfortable that I recommend that they change to a 3.0 version that contains whatever the final fixed code is? Their docs currently say 3.0.0 specifically. If so, would that be 3.0.18?

Thanks again for your help, and sorry for any confusion I may have caused along the way.

-Eric

-
List info/subscribe/unsubscribe?
Alan DeKok
2018-12-06 12:29:43 UTC
Permalink
Post by Eric Wittle
Responding to Matthew & Alan.
I manually repeated the changes Alan checked in to opendir.c. Unfortunately, I still got a segfault after those changes. I’ve done some debugging since, and now have a successfully authenticating VPN with the modified code (yeah)!
Thanks. I've pushed a fix to the code. It should now be in the v3.0.x branch on GitHub.
Post by Eric Wittle
I’m planning on filing an issue with Apple on their documentation for migrating from Apple Server to the 3.0 version of FreeRADIUS. I’m honestly curious if either of you think that open directory authentication with 3.0 could work in any cases?
It worked prior to 2014, (3.0.6) when the erroneous change went in.
Post by Eric Wittle
It seems to me like they never tested their instructions, but I admit I’m generalizing from one single use case (router authentication). As you can probably tell from some of my early e-mails, my ignorance about FreeRADIUS was quite high when I first engaged with this group, and I simply don’t know if there would be use cases where the missing MS-CHAP2-Success would not cause problems.
Lastly, when I file the issue with apple, would you be comfortable that I recommend that they change to a 3.0 version that contains whatever the final fixed code is? Their docs currently say 3.0.0 specifically. If so, would that be 3.0.18?
Yes.
Post by Eric Wittle
Thanks again for your help, and sorry for any confusion I may have caused along the way.
Confusion is understandable. The most important thing is *learning*, and *fixing* problems. That is a skill which is much appreciated.

Alan DeKok.


-
List info/subscribe/unsubscribe

Alan DeKok
2018-12-03 11:49:56 UTC
Permalink
Post by Eric Wittle
Dec 3 2018 06:21:55 123216us AUTH2: {0x0a0b655a7dae11e49289ac87a301f654, eric} MS-CHAPv2 authentication succeeded.
So the startup & shutdown you see below would have been from when I started and stopped the directory service from the server app for other reasons. It also seems that the username & password is making it from the VPN authentication request from my iOS device through to the directory server OK, but apparently something is happening with the response.
The debug log you posted shows that the user was authenticated. And there was no error.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
Loading...