FreeRADIUS + OpenLDAP + MSCHAPv2

tnt at kalik.net tnt at kalik.net
Fri Nov 14 21:13:14 CET 2008


>> ntlm_auth line is commented out by default.
>
>Ok, I see that.
>
>>From what I understand, MSCHAPv2 needs access to the unencrypted user password, and OpenLDAP doesn't offer that.  I'm guessing I'll have to add an unencrypted password field to the LDAP server to make this work, but that's not been made clear in any documentation.
>

Yes, it needs clear text or NT hashed password. You can store plain text
in userPassword.

http://deployingradius.com/documents/protocols/compatibility.html

>And, how do you tell the FreeRADIUS eap/peap/MSCHAPv2 client to use the LDAP server as opposed to text files or PAM?
>

By listing ldap in authorize.

>I'm attaching my radiusd.conf to this e-mail, any comments would be greatly appreciated.  I stripped out all the comments and removed the modules I wasn't using (like SQL stuff and unix/PAM/etc).

And so much more (peap is misconfigured, as is ldap, mschap auth type is
gone, there is nothing to get the password from ...). That will not work.

Get the server working with the default configuration. Remove one thing
at the time, testing that the server can start and authenticate users
(and reject when needed). You have also removed all the logging and
accounting so you will have no idea what is server doing.

And use current version. This is something old.

 Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list