LDAP-FreeRadius-Cisco Switch-802.1x Fails.

Fajar A. Nugraha list at fajar.net
Fri Apr 20 09:30:42 CEST 2012

On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour
<wassim.zaarour at navlink.com> wrote:

> On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list at fajar.net> wrote:

>>Long version:
>>MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either:
>>- Cleartext-Password or NT-Hash available (in LDAP, sql, users file
>>whatever), OR
>>- an active directory
>>If you don't have either, then it won't work.
> Hi Farja,
> Passwords are stored as clear text in my LDAP, that should make MSCHAPv2
> work right?

Yes, if FR can find them. This part of the log says it can't:

[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?

You might need to play around with the user used to login to LDAP,  as
some systems only give out passwords to admin accounts. Testing manual
LDAP lookup using command line tool (e.g. ldapsearch) helps. If you
CAN get your ldap server to return cleartext password with ldapsearch,
then you should be able to configure FR to get that as well.


More information about the Freeradius-Users mailing list