Matt Bernstein +systems.extlists.freeradius-users at
Sun Nov 16 14:56:03 CET 2008

On Nov 14 Tim Gustafson wrote:

> I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.

The easiest way to install the latest FreeRADIUS on CentOS I know of is to 
visit <>, find 
the latest source RPM and rebuild it. It's a small amount of work, but 
will stop people saying "upgrade" a lot..

>I'm trying to figure out how to configure FreeRADIUS to authenticate 
>against an OpenLDAP server using MSCHAPv2.  I Googled a lot of different 
>phrases, and came up with some things that were mildly helpful.  Right 
>now, I have FreeRADIUS authenticating against the LDAP server without 
>using MSCHAPv2, but I'm not understanding how to now activate the 
>MSCHAPv2 part.

I have it working. You need to check your ldap.attrmap (or whatever you've 
set dictionary_mapping to) points at the right LDAP field. I use the 
samba schema, so:

checkItem       NT-Password                     sambaNtPassword

Then your debug log should include entries like:

rlm_ldap: sambaNtPassword -> NT-Password == 0x........
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?

..but this is OK, since with "mschap" before "ldap" in your authorize{} 
block, FreeRADIUS will handle the challenge-response stuff correctly for 
MSCHAPv2 using the NT hash from OpenLDAP. Make sure you bind to OpenLDAP 
with sufficient privilege to read the NT hash!



More information about the Freeradius-Users mailing list