2

We have a Windows Server 2012 Active Directory Infrastructure that consists of two domain controllers. Bound to the Active Directory Domain is a Mac OS X Mavericks Server 10.9.3. The server runs Profile Manager and VPN Services. My Active Directory users are able to authenticate to the Profile Manager, but not the VPN.

I have found several threads on other forums of other users reporting similar issues, here is just one of many references: https://discussions.apple.com/thread/5174619

It appears as though the issue is related to a CHAP authentication failure.

  • Can anyone suggest what next troubleshooting steps I might take?
  • Is there a way to liberalize the authentication mechanism to include MS-CHAPv2?

Here is an excerpt of the transaction from the logs. Please note the domain has been changed to example.com.

Jun 6 15:25:03 profile-manager.example.com vpnd[10317]: Incoming call... Address given to client = 192.168.55.217 Jun 6 15:25:03 profile-manager.example.com pppd[10677]: publish_entry SCDSet() failed: Success! Jun 6 15:25:03 --- last message repeated 2 times --- Jun 6 15:25:03 profile-manager.example.com pppd[10677]: pppd 2.4.2 (Apple version 727.90.1) started by root, uid 0 Jun 6 15:25:03 profile-manager.example.com pppd[10677]: L2TP incoming call in progress from '108.46.112.181'... Jun 6 15:25:03 profile-manager.example.com racoon[257]: pfkey DELETE received: ESP 192.168.55.12[4500]->108.46.112.181[4500] spi=25137226(0x17f904a) Jun 6 15:25:04 profile-manager.example.com pppd[10677]: L2TP connection established. Jun 6 15:25:04 profile-manager kernel[0]: ppp0: is now delegating en0 (type 0x6, family 2, sub-family 0) Jun 6 15:25:04 profile-manager.example.com pppd[10677]: Connect: ppp0 <--> socket[34:18] Jun 6 15:25:04 profile-manager.example.com pppd[10677]: CHAP peer authentication failed for alex Jun 6 15:25:04 profile-manager.example.com pppd[10677]: Connection terminated. Jun 6 15:25:04 profile-manager.example.com pppd[10677]: L2TP disconnecting... Jun 6 15:25:04 profile-manager.example.com pppd[10677]: L2TP disconnected Jun 6 15:25:04 profile-manager.example.com vpnd[10317]: --> Client with address = 192.168.55.217 has hung up

sardean
  • 833
  • 3
  • 15
  • 34

1 Answers1

5

CHAP requires that plaintext password be accessible to the authentication server. Active Directory doesn't store plaintext passwords by default, so CHAP won't work.

It would appear that you can modify the VPN server configuration file (com.apple.RemoteAccessServers.plist) to use the MS-CHAPv2 authentication protocol. Given the weakness of the protocol I can't really recommend using it. Your only alternatives are EAP with either RSA tokens or Kerberos. Since you've got an Active Directory environment already I think getting your OS X VPN server joined to the domain and attempting to use Kerberos is probably your best bet. (Having said that, though, it's something I have less than no experience with and can't give you any kind of step-by-step direction.)

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thanks for the info. The interesting thing is every other OS X Service can be authenticated by AD accounts with no problem. The OS X Server is bound to AD. I inspected the contents of the com.apple.RemoteAccessServers.plist for the `AuthenticatorProtocol` key which is indeed set to MSCHAPv2. So I suspect the issue is very specific to the PPP authentication phase. – sardean Jun 07 '14 at 02:37
  • I changed the `AuthenticatorProtocol` to `PAP` just for the purpose of systematic fault isolation and it works. `EAP` however, does not. – sardean Jun 07 '14 at 03:15