PEAP/EAP-MSCHAPv2 with OpenLDAP
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Aug 3 20:39:17 CEST 2017
> On Aug 3, 2017, at 12:33 PM, mr mh1113 <mrmh1113 at gmail.com> wrote:
>
> Well, it's not as easy as one might think.
>
> I am getting this error:
> NT-Password found but incorrect length, expected 16 bytes got 40 bytes.
> Authentication may fail
If you want it to "just work" your password value should be a binary type with no header.
If you'd rather work around your issues...
ldap
if (control:NT-Password =~ /^{.*}(.*)/) {
update control {
NT-Password := "0x%{1}"
}
}
> MD4 hash has 32 characters, it's hex number so that means 2 characters = 1
> byte. 32 / 2 = 16 bytes and this "length" is expected.
> Another 8 bytes (32 + 8 = 40) is header {nthash} with curled brackets
The rest of the server knows nothing about LDAP's predilection for hash prefixes.
> including. I've tried {nt} header and blank header with no success.
> It seems that FreeRadius interprets value in my custom LDAP attribute as
> plain text not hex number.
> LDAP attribute is type "text".
Yes.
> Custom LDAP attribute contains text value E217DE3A51C1329B751A28B9792F42DB.
No, it should contain the binary value.
> There was a thread about similar problem
> https://github.com/FreeRADIUS/freeradius-server/issues/679
> I use FreeRadius 3.0.4 from CentOS 7 with backported fixes from upstream.
I'd strongly recommend using 3.0.15.
http://packages.networkradius.com/centos/7/repo/
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170803/bd762d30/attachment.sig>
More information about the Freeradius-Users
mailing list