LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Wassim Zaarour
wassim.zaarour at navlink.com
Fri Apr 20 09:53:32 CEST 2012
Hi Farja,
I just checked with the ldap admin and he told me passwords are stored
with SHA encryption and not cleartext. ( can't change them to clear text)
Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??
If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with
the windows laptops as they have PEAP/MSCHAPv2 only.
Any workaround?
Thanks
Wassim.
On 4/20/12 10:30 AM, "Fajar A. Nugraha" <list at fajar.net> wrote:
>On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour
><wassim.zaarour at navlink.com> wrote:
>
>> On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list at fajar.net> wrote:
>
>>>Long version:
>>>MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either:
>>>- Cleartext-Password or NT-Hash available (in LDAP, sql, users file
>>>whatever), OR
>>>- an active directory
>>>
>>>If you don't have either, then it won't work.
>>
>> Hi Farja,
>>
>> Passwords are stored as clear text in my LDAP, that should make MSCHAPv2
>> work right?
>
>Yes, if FR can find them. This part of the log says it can't:
>
>[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
>(uid=pk)
>[ldap] looking for check items in directory...
>[ldap] looking for reply items in directory...
>WARNING: No "known good" password was found in LDAP. Are you sure that
>the user is configured correctly?
>
>You might need to play around with the user used to login to LDAP, as
>some systems only give out passwords to admin accounts. Testing manual
>LDAP lookup using command line tool (e.g. ldapsearch) helps. If you
>CAN get your ldap server to return cleartext password with ldapsearch,
>then you should be able to configure FR to get that as well.
>
>--
>Fajar
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list