LDAP-FreeRadius-Cisco Switch-802.1x Fails.

Wassim Zaarour wassim.zaarour at navlink.com
Fri Apr 20 09:53:32 CEST 2012

Hi Farja,

I just checked with the ldap admin and he told me passwords are stored
with SHA encryption and not cleartext. ( can't change them to clear text)

Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??

If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with
the windows laptops as they have PEAP/MSCHAPv2 only.

Any workaround?


On 4/20/12 10:30 AM, "Fajar A. Nugraha" <list at fajar.net> wrote:

>On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour
><wassim.zaarour at navlink.com> wrote:
>> On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list at fajar.net> wrote:
>>>Long version:
>>>MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either:
>>>- Cleartext-Password or NT-Hash available (in LDAP, sql, users file
>>>whatever), OR
>>>- an active directory
>>>If you don't have either, then it won't work.
>> Hi Farja,
>> Passwords are stored as clear text in my LDAP, that should make MSCHAPv2
>> work right?
>Yes, if FR can find them. This part of the log says it can't:
>[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
>[ldap] looking for check items in directory...
>[ldap] looking for reply items in directory...
>WARNING: No "known good" password was found in LDAP.  Are you sure that
>the user is configured correctly?
>You might need to play around with the user used to login to LDAP,  as
>some systems only give out passwords to admin accounts. Testing manual
>LDAP lookup using command line tool (e.g. ldapsearch) helps. If you
>CAN get your ldap server to return cleartext password with ldapsearch,
>then you should be able to configure FR to get that as well.
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list