I am using Microsoft 2003 Active Directory Server , the way wifi (MSCHAPv2) works is with ntlm_auth , which does the authentication.<div> - your LDAP module isn't setting Auth-Type for some reason</div><div> This is happening because of <a href="http://lists.freeradius.org/pipermail/freeradius-users/2008-May/027962.html" target="_blank" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">http://lists.freeradius.org/pipermail/freeradius-users/2008-May/027962.html</a></div>
<div> and if I do the way its suggested , Auth Type get set to ldap_secondary.</div><div> If this works, how this is going to solved because what I saw that it still doesn't do mschapv2.</div><div><br></div><div>
The way it works with wifi or radtest is , Auth-Type is set to EAP (it refers to eap.conf ) , it goes to mschap modules(set up TLS channel and then under that) , from there its told to use external program ntlm_auth , which does the authentication and tells radius if its OK or not.</div>
<div><br></div><div>What i was trying , is to get similar way working with captive portal as well.</div><div><br></div><div><br><br><div class="gmail_quote">On Fri, Apr 19, 2013 at 7:29 PM, Matthew Newton <span dir="ltr"><<a href="mailto:mcn4@leicester.ac.uk" target="_blank">mcn4@leicester.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Fri, Apr 19, 2013 at 06:15:09PM +0530, Chitrang Srivastava wrote:<br>
> tried what Matthew suggest , in authorize section and it worked. Whole<br>
> issue is captive portal is sending a non-EAP message with User-Password set<br>
> , in this case we have to set auth type as ldap.<br>
<br>
</div>It's obvious from your debug output that<br>
<br>
- your LDAP module isn't setting Auth-Type for some reason<br>
- your LDAP server isn't returning any sort of password (plain or<br>
crypted)<br>
<br>
and therefore you probably need to try and do that horrible hack<br>
of binding to the LDAP server to auth. Really, Alan is right -<br>
LDAP is not an authentication server, even though lots of people<br>
seem to think it is.<br>
<br>
Hence the suggestion to "fix" your problem by setting Auth-Type,<br>
iff it has not already been set, when not doing EAP and<br>
User-Password is supplied.<br>
<br>
The best solution is to fixup your LDAP server to return the<br>
crypted password back to FreeRADIUS. Like already pointed out, if<br>
it's AD, this isn't likely to happen.<br>
<div class="im HOEnZb"><br>
Matthew<br>
<br>
<br>
--<br>
Matthew Newton, Ph.D. <<a href="mailto:mcn4@le.ac.uk">mcn4@le.ac.uk</a>><br>
<br>
Systems Specialist, Infrastructure Services,<br>
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom<br>
<br>
For IT help contact helpdesk extn. 2253, <<a href="mailto:ithelp@le.ac.uk">ithelp@le.ac.uk</a>><br>
</div><div class="HOEnZb"><div class="h5">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>