Using mschap authentication without EAP

Phil Mayers p.mayers at imperial.ac.uk
Fri Jul 21 13:18:51 CEST 2006


> dn: cn=Vito Cu,ou=utenti,dc=xxxx,dc=it
> userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9

This is:

userPassword: {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs=

You MUST have plaintext passwords in your LDAP directory to do CHAP.



Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as 
User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
Fri Jul 21 11:15:51 2006 : Debug:   Processing the authenticate section 
of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug:   modsingle[authenticate]: calling pap 
(rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is 
required for authentication. Cannot use "CHAP-Password".


Your NAS submitted a CHAP request. You cannot check CHAP requests by 
simple bind to LDAP, only PAP.

You have three choices:

  1. Store plaintext passwords in userPassword in LDAP, and use CHAP, 
configured like this:

authorize {
   preprocess
   chap
   ldap
}
authenticate {
   Auth-Type CHAP {
     chap
   }
}

  2. Store whatever you like in LDAP, configure your NAS to use PAP and 
LDAP simple binds, configured like this:

authorize {
   preprocess
   ldap
}
authenticate {
   Auth-Type LDAP {
    ldap
   }
}

  3. Store crypted passwords in userPassword, configure your NAS to use 
PAP, and do PAP at the server side. Not recommended.



More information about the Freeradius-Users mailing list