<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Dear,</div><div><br></div><div>at the risk of falling in a known trap.</div><div>I've read enough statements that one can't do mschapv2 with openldap, unless you store the passwords in clear-text. I know that</div><div><br></div><div>But those same sources also state that this isn't true when you have a (MS) hash available for those users, like NT-/LM-PASSWORD, which I have.</div><div><br></div><div>Yet my configuration still seems to expect clear-text passwords.</div><div>From the debug output (cleaned):</div><div><br></div><div><div>[ldap] looking for check items in directory...</div><div> [ldap] userPassword -> User-Password == "{crypt}<cryptpasswd>"</div><div> [ldap] userPassword -> Password-With-Header == "{crypt}<cryptpasswd>"</div><div> [ldap] sambaNTPassword -> <b>NT-Password == 0x<hash></b></div><div> [ldap] sambaLMPassword -> <b>LM-Password == 0x<hash></b></div><div><br></div><div>[eap] processing type mschapv2</div><div>[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel</div><div>[mschapv2] +- entering group MS-CHAP {...}</div><div>[mschap] No Cleartext-Password configured. Cannot create LM-Password.</div><div>[mschap] No Cleartext-Password configured. Cannot create NT-Password.</div><div>[mschap] Creating challenge hash with username: <userid></div><div><b>[mschap] Told to do MS-CHAPv2 for <userid> with NT-Password</b></div><div><b>[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.</b></div><div><b>[mschap] FAILED: MS-CHAP2-Response is incorrect</b></div><div>++[mschap] returns reject</div></div><div><br></div><div>What am I missing in the configuration? It has the hashed passwords, seamingly mapped to the correct attributes, yet it still says it doesn't have them.</div><div>config is as stock as possible, using <a href="http://vuksan.com/linux/dot1x/802-1x-LDAP.html">http://vuksan.com/linux/dot1x/802-1x-LDAP.html</a> and <a href="http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius">http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius</a> as guidelines.</div><div><br></div><div>See pastebin for the entire configuration, since one can't post attachments to a mailing list. <a href="http://pastebin.com/d6FWVS1F">http://pastebin.com/d6FWVS1F</a></div><div><br></div><div>Br,</div><div><br></div><div>Thomas</div></body></html>