Wireless WPA2 enterprise Radius authentication
John Dennis
jdennis at redhat.com
Thu Oct 28 01:08:17 CEST 2010
On 10/27/2010 06:18 PM, Maurice James wrote:
> How do I do it?
You were kindly given the answer previously by Maurice. But just to
reinforce please review the compatibility information here:
http://deployingradius.com/documents/protocols/compatibility.html
The client is sending mschap, look at the table above, what are the
valid password formats for mschap? What authentication mechanisms are
valid with SSHA?
So you basically have 3 choices:
1) Store cleartext passwords in ldap
2) Store nt hash in ldap
3) Don't support mschap clients
Or if AD is available as your ldap use ntlm_auth with AD to support mschap.
> Maurice James<midnightsteel at msn.com> wrote:
>
>> [ldap] looking for check items in directory...
>> [ldap] userpassword -> User-Password == "{SSHA}5wzxRoUPX/rLkS9hY1HztczPN8u5m/dGDzKvdg=="
>
> This will not work. You need a cleartext password. This SSHA-Hash is only good for PAP, any challenge response method like MSCHAPv2 won't function with this.
>
>> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
>> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
>> [mschap] Told to do MS-CHAPv2 for MJames with NT-Password [mschap]
>> FAILED: No NT/LM-Password. Cannot perform authentication.
>> [mschap] FAILED: MS-CHAP2-Response is incorrect
>> ++[mschap] returns reject
>
> And this is the result --> reject.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list