FreeRADIUS + OpenLDAP + MSCHAPv2

Matt Bernstein +systems.extlists.freeradius-users at dcs.qmul.ac.uk
Sun Nov 16 14:56:03 CET 2008


On Nov 14 Tim Gustafson wrote:

> I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.

The easiest way to install the latest FreeRADIUS on CentOS I know of is to 
visit <http://koji.fedoraproject.org/koji/packageinfo?packageID=298>, find 
the latest source RPM and rebuild it. It's a small amount of work, but 
will stop people saying "upgrade" a lot..

>I'm trying to figure out how to configure FreeRADIUS to authenticate 
>against an OpenLDAP server using MSCHAPv2.  I Googled a lot of different 
>phrases, and came up with some things that were mildly helpful.  Right 
>now, I have FreeRADIUS authenticating against the LDAP server without 
>using MSCHAPv2, but I'm not understanding how to now activate the 
>MSCHAPv2 part.

I have it working. You need to check your ldap.attrmap (or whatever you've 
set dictionary_mapping to) points at the right LDAP field. I use the 
samba schema, so:

checkItem       NT-Password                     sambaNtPassword

Then your debug log should include entries like:

rlm_ldap: sambaNtPassword -> NT-Password == 0x........
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?

..but this is OK, since with "mschap" before "ldap" in your authorize{} 
block, FreeRADIUS will handle the challenge-response stuff correctly for 
MSCHAPv2 using the NT hash from OpenLDAP. Make sure you bind to OpenLDAP 
with sufficient privilege to read the NT hash!

HTH

Matt



More information about the Freeradius-Users mailing list