Problems with 802.1x
alan buxey
A.L.M.Buxey at lboro.ac.uk
Tue Nov 20 18:48:44 CET 2012
Hi,
> So here is a debug again. Like i said, SQL is uncommented on inner-tunnel.
that better - and yes it is uncommented..the debug shows that nicely :-)
> ++[sql] returns ok
ok
> [pap] Normalizing MD5-Password from hex encoding
the password is MD5 encrypted.
> rlm_eap_mschapv2: Issuing Challenge
and thats your problem. 802.1X methods like PEAPv0/MSCHAPv2 (standard microsoft PEAP)
DO NOT send the password to the server. instead, they use a challenge-response method.
which means that you need to be able to KNOW the actual password - so you need to
have a copy of it.
this all comes down to compatability....which, once again, highlights the requirements
to read the documentation - particularly the web site which I have already mentioned:
http://deployingradius.com/documents/protocols/compatibility.html
so....the passwords in DB need to be clear or NT-hash
your current non 802.1X stuff works becaus the captive portal actually sends
the user-password across to the RADIUS server...so it can do an MD5 and see
that it just matches the database value.
alan
More information about the Freeradius-Users
mailing list