802.1X PEAP / MSCHAPv2 (with nt-password)

[Thomas Dupas]

Dear,

at the risk of falling in a known trap.
I've read enough statements that one can't do mschapv2 with openldap, unless you store the passwords in clear-text. I know that

But those same sources also state that this isn't true when you have a (MS) hash available for those users, like NT-/LM-PASSWORD, which I have.

Yet my configuration still seems to expect clear-text passwords.
>From the debug output (cleaned):

[ldap] looking for check items in directory...
  [ldap] userPassword -> User-Password == "{crypt}<cryptpasswd>"
  [ldap] userPassword -> Password-With-Header == "{crypt}<cryptpasswd>"
  [ldap] sambaNTPassword -> NT-Password == 0x<hash>
  [ldap] sambaLMPassword -> LM-Password == 0x<hash>

[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: <userid>
[mschap] Told to do MS-CHAPv2 for <userid> with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject

What am I missing in the configuration? It has the hashed passwords, seamingly mapped to the correct attributes, yet it still says it doesn't have them.
config is as stock as possible, using http://vuksan.com/linux/dot1x/802-1x-LDAP.html and http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius as guidelines.

See pastebin for the entire configuration, since one can't post attachments to a mailing list. http://pastebin.com/d6FWVS1F

Br,

Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121130/3fc923ec/attachment.html>