Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?

Colleen C. Morrissey morric at rpi.edu
Tue Jun 19 17:22:51 CEST 2007


I spoke too soon.  This works ok for a user/password in users file, but 
not via LDAP.  Via ldap mschap works but not gtc.  Below is snippet of 
output when it is failing.  Any advice on how to fix would be appreciated:
[root at aster raddb]# more gtc_info
modcall: entering group authenticate for request 502
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/gtc
   rlm_eap: processing type gtc
   Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 502
rlm_pap: login attempt with password blah
rlm_pap: Using NT encryption.
radius_xlat: Running registered xlat function of module mschap for 
string 'NT-Hash blah'
   rlm_mschap: Unknown expansion string "NT-Hash blah"
radius_xlat:  ''
rlm_pap: mschap xlat failed
rlm_pap: Passwords don't match

Colleen C. Morrissey wrote:
> Thanks!  I had ldap returning Password-with-Header for GTC deployment 
> and then added NT-Password for ms-chapv2.  Commenting out the 
> password-with-header for userpassword in ldap.attrmap seems to allow 
> both to work.  Which makes my life much easier :)
> 
> Alan Dekok wrote:
>> Colleen C. Morrissey wrote:
>>> My question is can I somehow support both simultaneously with the same 
>>> freeradius daemon (I know I can simply run a second daemon on different 
>>> port supporting the other but that will require me to do lots of work on 
>>> infrastructure/ssids to point to different servers)?  Does anybody 
>>> happen to have this working and be willing to post config?  Or any other 
>>> ideas?
>>   Yes.  If you configure the server to know about the users clear-text
>> password or NT-hashed password, then PEAP/GTC should "just work".
>>
>>   Alan DeKok.
>> --
>>   http://deployingradius.com       - The web site of the book
>>   http://deployingradius.com/blog/ - The blog
>> - 
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list