MSCHAPv2 fails to authenticate against OpenDirectory with error 5100 (0x13ec)

Question

Level 1

0 points

MSCHAPv2 fails to authenticate against OpenDirectory with error 5100 (0x13ec)

I'm trying to follow the instructions in Dan Barrett's article, OS X Mavericks Server – Setting Up FreeRADIUS (albeit on Yosemite), to authenticate Open Directory users via non-Apple authenticators.

However, the MSCHAPv2 module always fails as follows:

[mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: testuser [mschap] Client is using MS-CHAPv2 for testuser, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Doing OD MSCHAPv2 auth [mschap] Authentication failed for testuser: error 5100 (0x13ec): unknown error

I can't find any documentation on what might have caused this error and am not sure how to progress from here. Your thoughts would be most welcome!

Mac mini, OS X Server, v4.1

Posted on Jun 10, 2015 5:19 AM

Reply

Answer 1

Mar 31, 2017 2:01 AM in response to nickety

I have just checked and MS-CHAPv2 is in the list on Server 5.3 but I am still seeing the error that was described by the OP.

I thought since I just enabled Radius that a user's NT-Password was not pre-generated so I did a password change on a user from the Server Console and the Attribute did not get generated.

What else should I check.

Reply

Answer 2

Mar 31, 2017 7:29 AM in response to WizardWlf

WizardWlf wrote:

I have just checked and MS-CHAPv2 is in the list on Server 5.3 but I am still seeing the error that was described by the OP.

I thought since I just enabled Radius that a user's NT-Password was not pre-generated so I did a password change on a user from the Server Console and the Attribute did not get generated.

What else should I check.

I suspect that Apple have further eliminated the possibility of using these old insecure authentication methods in their latest versions. Therefore MS-CHAPv2, CHAP, and PAP will probably all now be impossible to use.

(On a related topic Sierra killed off support for PPTP VPN connections.)

You probably need instead to look at EAP supported options like TLS, TTLS and PEAP. This article may be of a bit of help. See http://www.esecurityplanet.com/views/article.php/3899996/How-to-Use-Enterprise-W iFi-Encryption-and-8021X-in-Mac-OS-X.htm

Reply

Answer 3

Mar 31, 2017 9:50 AM in response to John Lockwood

This is encapsulated in EAP-TLS on my system. I am using it for WiFi authentication.

The APs are Ubiquity UAP-AC-Pro running firmware 3.7.51

The test client is my iPhone 6 Plus running iOS 10.3

if I can find my AirPort Express, I will try reconfiguring it with WPA2-Enterprise and see what shows up in the logs.

Reply

Answer 4

Mar 31, 2017 10:16 AM in response to WizardWlf

Here is the output from the log for the EAP Negotiation.

Fri Mar 31 11:56:46 2017 : Info: # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default

Fri Mar 31 11:56:46 2017 : Info: +group authorize {

Fri Mar 31 11:56:46 2017 : Info: ++[preprocess] = ok

Fri Mar 31 11:56:46 2017 : Info: ++[chap] = noop

Fri Mar 31 11:56:46 2017 : Info: ++[mschap] = noop

Fri Mar 31 11:56:46 2017 : Info: ++[digest] = noop

Fri Mar 31 11:56:46 2017 : Info: [suffix] No '@' in User-Name = "shawn", looking up realm NULL

Fri Mar 31 11:56:46 2017 : Info: [suffix] No such realm "NULL"

Fri Mar 31 11:56:46 2017 : Info: ++[suffix] = noop

Fri Mar 31 11:56:46 2017 : Info: [eap] EAP packet type response id 255 length 111

Fri Mar 31 11:56:46 2017 : Info: [eap] Continuing tunnel setup.

Fri Mar 31 11:56:46 2017 : Info: ++[eap] = ok

Fri Mar 31 11:56:46 2017 : Info: +} # group authorize = ok

Fri Mar 31 11:56:46 2017 : Info: Found Auth-Type = EAP

Fri Mar 31 11:56:46 2017 : Info: # Executing group from file /Library/Server/radius/raddb/sites-enabled/default

Fri Mar 31 11:56:46 2017 : Info: +group authenticate {

Fri Mar 31 11:56:46 2017 : Info: [eap] Request found, released from the list

Fri Mar 31 11:56:46 2017 : Info: [eap] EAP/ttls

Fri Mar 31 11:56:46 2017 : Info: [eap] processing type ttls

Fri Mar 31 11:56:46 2017 : Info: [ttls] Authenticate

Fri Mar 31 11:56:46 2017 : Info: [ttls] processing EAP-TLS

Fri Mar 31 11:56:46 2017 : Debug: TLS Length 101

Fri Mar 31 11:56:46 2017 : Info: [ttls] Length Included

Fri Mar 31 11:56:46 2017 : Info: [ttls] eaptls_verify returned 11

Fri Mar 31 11:56:46 2017 : Info: [ttls] eaptls_process returned 7

Fri Mar 31 11:56:46 2017 : Info: [ttls] Session established. Proceeding to decode tunneled attributes.

Fri Mar 31 11:56:46 2017 : Info: # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel

Fri Mar 31 11:56:46 2017 : Info: +group authorize {

Fri Mar 31 11:56:46 2017 : Info: ++[chap] = noop

Fri Mar 31 11:56:46 2017 : Info: ++[mschap] = noop

Fri Mar 31 11:56:46 2017 : Info: [suffix] No '@' in User-Name = "shawn", looking up realm NULL

Fri Mar 31 11:56:46 2017 : Info: [suffix] No such realm "NULL"

Fri Mar 31 11:56:46 2017 : Info: ++[suffix] = noop

Fri Mar 31 11:56:46 2017 : Info: ++update control {

Fri Mar 31 11:56:46 2017 : Info: ++} # update control = noop

Fri Mar 31 11:56:46 2017 : Info: [eap] EAP packet type response id 1 length 64

Fri Mar 31 11:56:46 2017 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation

Fri Mar 31 11:56:46 2017 : Info: ++[eap] = updated

Fri Mar 31 11:56:46 2017 : Info: ++[files] = noop

Fri Mar 31 11:56:46 2017 : Info: ++[expiration] = noop

Fri Mar 31 11:56:46 2017 : Info: ++[logintime] = noop

Fri Mar 31 11:56:46 2017 : Info: ++[pap] = noop

Fri Mar 31 11:56:46 2017 : Info: +} # group authorize = updated

Fri Mar 31 11:56:46 2017 : Info: Found Auth-Type = EAP

Fri Mar 31 11:56:46 2017 : Info: # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel

Fri Mar 31 11:56:46 2017 : Info: +group authenticate {

Fri Mar 31 11:56:46 2017 : Info: [eap] Request found, released from the list

Fri Mar 31 11:56:46 2017 : Info: [eap] EAP/mschapv2

Fri Mar 31 11:56:46 2017 : Info: [eap] processing type mschapv2

Fri Mar 31 11:56:46 2017 : Info: [mschapv2] # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel

Fri Mar 31 11:56:46 2017 : Info: [mschapv2] +group MS-CHAP {

Fri Mar 31 11:56:46 2017 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password.

Fri Mar 31 11:56:46 2017 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password.

Fri Mar 31 11:56:46 2017 : Info: [mschap] Creating challenge hash with username: shawn

Fri Mar 31 11:56:46 2017 : Info: [mschap] Client is using MS-CHAPv2 for shawn, we need NT-Password

Fri Mar 31 11:56:46 2017 : Info: [mschap] Using OpenDirectory to authenticate

Fri Mar 31 11:56:46 2017 : Info: [mschap] Doing OD MSCHAPv2 auth

Fri Mar 31 11:56:46 2017 : Info: [mschap] Authentication failed for shawn: error 5200 (0x1450): unknown error

Fri Mar 31 11:56:46 2017 : Info: ++[mschap] = reject

Fri Mar 31 11:56:46 2017 : Info: +} # group MS-CHAP = reject

Fri Mar 31 11:56:46 2017 : Info: [eap] Freeing handler

Fri Mar 31 11:56:46 2017 : Info: ++[eap] = reject

Fri Mar 31 11:56:46 2017 : Info: +} # group authenticate = reject

Fri Mar 31 11:56:46 2017 : Info: Failed to authenticate the user.

Fri Mar 31 11:56:46 2017 : Auth: Login incorrect: [shawn/<via Auth-Type = EAP>] (from client hallway port 0 via TLS tunnel)

Fri Mar 31 11:56:46 2017 : Info: Using Post-Auth-Type Reject

Fri Mar 31 11:56:46 2017 : Info: # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel

Fri Mar 31 11:56:46 2017 : Info: +group REJECT {

Fri Mar 31 11:56:46 2017 : Info: [attr_filter.access_reject] expand: %{User-Name} -> shawn

Fri Mar 31 11:56:46 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11

Fri Mar 31 11:56:46 2017 : Info: ++[attr_filter.access_reject] = updated

Fri Mar 31 11:56:46 2017 : Info: +} # group REJECT = updated

Fri Mar 31 11:56:46 2017 : Info: [ttls] Got tunneled Access-Reject

Fri Mar 31 11:56:46 2017 : Info: [eap] Handler failed in EAP/ttls

Fri Mar 31 11:56:46 2017 : Debug: rlm_eap_ttls: Freeing handler for user shawn

Fri Mar 31 11:56:46 2017 : Info: [eap] Failed in EAP select

Fri Mar 31 11:56:46 2017 : Info: ++[eap] = invalid

Fri Mar 31 11:56:46 2017 : Info: +} # group authenticate = invalid

Fri Mar 31 11:56:46 2017 : Info: Failed to authenticate the user.

Fri Mar 31 11:56:46 2017 : Auth: Login incorrect: [shawn/<via Auth-Type = EAP>] (from client hallway port 0 cli E0-B5-2D-3C-BB-7B)

Fri Mar 31 11:56:46 2017 : Info: Using Post-Auth-Type Reject

Fri Mar 31 11:56:46 2017 : Info: # Executing group from file /Library/Server/radius/raddb/sites-enabled/default

Fri Mar 31 11:56:46 2017 : Info: +group REJECT {

Fri Mar 31 11:56:46 2017 : Info: ++? if ("%{EAP-Message}")

Fri Mar 31 11:56:46 2017 : Info: expand: %{EAP-Message} -> 0x02ff006f1580000000651703010060cac1037b098d368e034718494eab94aba9ec16da4b29e38 a03043a0bb89d962a03625b800020df8a687068dbc5e81539152be037ba972903472e63e345373ba 4232e88066de9fa00a9a6f844e9d135b072c18060856c93b80587b657eefeb439

Fri Mar 31 11:56:46 2017 : Info: ? Evaluating ("%{EAP-Message}") -> TRUE

Fri Mar 31 11:56:46 2017 : Info: ++? if ("%{EAP-Message}") -> TRUE

Fri Mar 31 11:56:46 2017 : Info: ++if ("%{EAP-Message}") {

Fri Mar 31 11:56:46 2017 : Info: +++update reply {

Fri Mar 31 11:56:46 2017 : Info: expand: %{Message-Authenticator} -> 0xfc3de74973bde3093ab0cc1a16195272

Fri Mar 31 11:56:46 2017 : Info: +++} # update reply = noop

Fri Mar 31 11:56:46 2017 : Info: ++} # if ("%{EAP-Message}") = noop

Fri Mar 31 11:56:46 2017 : Info: [eap] Reply already contained an EAP-Message, not inserting EAP-Failure

Fri Mar 31 11:56:46 2017 : Info: ++[eap] = noop

Fri Mar 31 11:56:46 2017 : Info: [attr_filter.access_reject] expand: %{User-Name} -> shawn

Fri Mar 31 11:56:46 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11

Fri Mar 31 11:56:46 2017 : Info: ++[attr_filter.access_reject] = updated

Fri Mar 31 11:56:46 2017 : Info: +} # group REJECT = updated

Fri Mar 31 11:56:46 2017 : Info: Delaying reject of request 39 for 1 seconds

Fri Mar 31 11:56:46 2017 : Debug: Going to the next request

Fri Mar 31 11:56:46 2017 : Debug: Thread 5 waiting to be assigned a request

Fri Mar 31 11:56:46 2017 : Debug: Waking up in 0.2 seconds.

Fri Mar 31 11:56:47 2017 : Info: Sending delayed reject for request 39

Fri Mar 31 11:56:47 2017 : Debug: Waking up in 1.4 seconds.

Fri Mar 31 11:56:48 2017 : Info: Cleaning up request 24 ID 9 with timestamp +31745

Fri Mar 31 11:56:48 2017 : Debug: Waking up in 0.3 seconds.

Reply

Answer 5

nickety Author

Level 1

0 points

Jun 11, 2015 7:39 AM in response to nickety

The MS-CHAPv2 SASL mechanism is no longer enabled in Open Directory Password Server by default. To enable it (on OS X Server v4.0):

Launch "Directory Utility"
In the "Directory Editor", select the LDAP node for the directory server
Authenticate to the directory (as an admin) by clicking the padlock and providing valid credentials, if required
Select "Config" from the "Viewing" dropdown
Select the "dirserv" record
Click on the "dsAttrTypeNative:apple-enabled-auth-mech" attribute
Click the "+" button to the right of the corresponding value field
Enter "MS-CHAPv2" (without quotes) into the editor
Click "Save"

I then rebooted in order to be absolutely certain that the changes took effect (though just restarting PasswordServer might suffice, if even that's necessary).

MS-CHAPv2 hashes are then generated when each user next changes their password; they can then authenticate using RADIUS.

Reply