RADIUS on Leopard 10.5 Server

[iain]

Is anyone else using the RADIUS service on 10.5 server? I was able to get it working briefly with an AirPort Base Station, but now authentication is failing with the following:

Tue Jul 15 10:20:00 2008 : Auth: rlm_opendirectory: User is authorized.
Tue Jul 15 10:20:00 2008 : Auth: rlm_opendirectory: User is authorized.
Tue Jul 15 10:20:00 2008 : Auth: rlm_opendirectory: User is authorized.
Tue Jul 15 10:20:02 2008 : Auth: rlm_opendirectory: User is authorized.
Tue Jul 15 10:20:02 2008 : Auth: rlm_opendirectory: User is authorized.
Tue Jul 15 10:20:02 2008 : Error: rlm_mschap: authentication failed -14090

So it looks like open directory is successfully seeing the user, but MS CHAP is failing. Anyone seen this before? I have not used RADIUS that much, but it looks like a pretty stock freeRADIUS install. Any help would be appreciated.

Thanks,

-Iain

[iain]

Also, how could I get radiusd in debug mode, considering its executed via launchd? I tried adding the x flag to the launchdaemon plist file, but it gets overwritten. Sorry for my ignorance of the launchd process.

Thanks,

-Iain

[iain]

Hmm, now it seems to be working again, with essential zero changes made to the config. Ahhh, leopard.

I’d love a detailed account of the exchange between radius and open directory. I have no problem at all doing legwork in the configs, but I just need the docs to reference! FreeRADIUS docs are not a quick read, but somewhat helpful.

[iain]

Thanks for the response. I just have to say there are so many cool features tying into OD these days, I just wish there was better documentation. It seems that until X Server is officially documented at a lower level, these very exciting developments will remain on the fringe in business environments. It’s hard to put my weight behind technology choices when I don’t have the technical docs to rely on, and have to go scraping forums for advice. Yes, yes, just rtfm on freeradius. This is a good example of where the FreeRADIUS documentation is all there in their wiki, but much of it is not applicable to the X Server user and you have to wade through stuff just to get a baseline understanding. Another example would be the LDAP/SSL client changes. A good idea, but implemented in a beta-test style with no docs until the user community figures it out. I guess this is a fun challenge, but not when you’re trying to make money with the software at some point. 😀

Thanks, AFP548 has played a good hand in my troubleshooting.

Iain

[iain]

This issue was related to another MS-CHAPv2 auth issue I was having. It inexplicably seems to be tied to replication. I have removed all replicas from this master and everything seems to be fine. Another user had the same issue I did, authenticating with NTLMv2. Removing his replicas fixed the recurring issue.

Users who have this problem can be reliably identified by checking if the hash-only bit is set in mkpassdb for the guid of the user.

I have not received word back from Apple on this issue, but sent them the information.

[iain]

Now the next question I have is, has anyone been able to assign specific OD groups on a per-nas basis in Radius? I’d love to hear from you.

I have successfully set up Juniper firewalls to authenticate off OD Radius, but I need to assign access to specific groups on specific appliances. I’m assuming this could be configured in clients.conf, but I don’t see a mechanism to assign a group per nas.

Thanks,

-Iain

[Author]

Posts