Yes i use PEAP/MsChapv2 , and password in OpenLDAP are stocked in clear
mode , but there is a really strange eror while I try an
autothentication via EAP-PEAP (MSCHAPv2) here is the output of
Freeradius :<br>
<br>
lm_ldap: checking if remote access for test is allowed by uid<br>
rlm_ldap: looking for check items in directory...<br>
rlm_ldap: looking for reply items in directory...<br>
rlm_ldap: user test authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>
modcall[authorize]: module "ldap" returns ok for request 6<br>
modcall: group authorize returns ok for request 6<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group authenticate for request 6<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/mschapv2<br>
rlm_eap: processing type mschapv2<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group Auth-Type for request 6<br>
rlm_mschap: No User-Password configured. Cannot create LM-Password.<br>
rlm_mschap: No User-Password configured. Cannot create NT-Password.<br>
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password<br>
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.<br>
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect<br>
modcall[authenticate]: module "mschap" returns reject for request 6<br>
modcall: group Auth-Type returns reject for request 6<br>
rlm_eap: Freeing handler<br>
modcall[authenticate]: module "eap" returns reject for request 6<br>
modcall: group authenticate returns reject for request 6<br>
auth: Failed to validate the user.<br>
Login incorrect: [test/<no User-Password attribute>] (from client localhost port 0)<br>
PEAP: Tunneled authentication was rejected.<br>
rlm_eap_peap: FAILURE<br>
<br>
I dont know if that error is due to an impossible comporason beetwen
hashed password in mschap and clear openldap password or if there
is problems fields NT/LM-Password.<br>
<br><br><div><span class="gmail_quote">2006/6/6, Michael Griego <<a href="mailto:mgriego@utdallas.edu" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mgriego@utdallas.edu</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2. In<br>this case, MD5 is not involved anywhere. The passwords are hashed<br>differently. As such, you must either have an NT hashed password<br>(which is actually a unicode-encoded MD4 hash of the password) or a
<br>cleartext password in your directory.<br><br>--Mike<br><br>On Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote:<br><br>> Hello,<br>><br>> I would like to use PEAP to perfome authentication of wlan users ,<br>
> I choose PEAP because Users and Passwords are in an LDAP Server
<br>> (OPEN-LDAP). According to me PEAP works like this :<br>><br>> Phase 1 :: TLS handshake the server authenticate to the client as a<br>> trusted radius serveur and a cipher tunel is created.<br>> Phase 2 :: Login + Password + Domain hashed with MD5 are send to
<br>> the Radius Server which ask LDAP server for password and login.<br>><br>> acording to the doc file : realm_eap , freeradius supports only<br>> eap-tls (authentication based only on certificates (client +
<br>> server ) lead and eap-MD5 ( according to me even if PEAP use MD5<br>> hash , the EAP-MD5 is different with no mutual autenthication and<br>> no TLS handshake )<br>><br>> I dont want to use a full certifcate based solution like EAP-TLS or
<br>> a authentification with no ciphered tunel like with EAP-MD5<br>><br>> Anyone could help me for using PEAP (or at least authentication<br>> with the two phases described upper) with freeradius ?<br>><br>
> thank you.<br>><br>> Ps : sorry for english mistakes :)<br>> -<br>> List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.freeradius.org/list/</a><br>> users.html<br>
<br><br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.freeradius.org/list/users.html</a>
<br><br><br></blockquote></div><br>