Ms-Chap + NT-Password
Alan DeKok
aland at deployingradius.com
Sat Dec 22 14:42:40 CET 2018
On Dec 21, 2018, at 6:28 PM, Anton Kiryushkin <swood at fotofor.biz> wrote:
>
> Thank you very much for your explanation. I fixed one of my problems. But
> there is one more, unfortunately. Could you please tell me why some clients
> still can't log in:
The debug messages are clear...
>
> (100) eap: Peer sent packet with method EAP MD5 (4)
> (100) eap: Calling submodule eap_md5 to process data
> (100) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
> authentication
You need a Cleartext-Password to do EAP-MD5.
The rest of the debug messages make it clear that the EAP-MD5 method is being used *inside* of PEAP.
> I suppose, the main problem from this string:
>
> (100) eap_peap: EAP method MD5 (4)
>
> But, I haven't enabled this type of authorization:
Yes, you have. You've listed "md5" inside of the "eap" module configuration. If you didn't list "md5" there, then FreeRADIUS would complain that EAP-MD5 wasn't permitted. Instead, it runs EAP-MD5.
> Probably I should have two versions of hashes for wifi and ethernet
> authorization?
The debug log says you need the Cleartext-Password, not a hashed password. And once you have that, FreeRADIUS can do PEAP/MS-CHAP, too.
Alan DeKok.
More information about the Freeradius-Users
mailing list