Given that we don't store clear text passwords anyways... would one solution to my problem be to disable EAP-MD5? My config for eap has this in it: # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } Only very few of our users seem to be causing these errors.... Thanks, Mohamed. On Fri, Feb 5, 2016 at 6:34 PM, Mohamed Lrhazi < Mohamed.Lrhazi@georgetown.edu> wrote:
Thank you so much Alan.
Mohamed.
On Fri, Feb 5, 2016 at 6:27 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 5, 2016, at 6:23 PM, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
I have some users, apparently always the same, who get rejected with
this
error message... I managed to get a session containing the failure captured in debug mode. Not sure if I should post more, but this the end of one such session....
How can I get to the root cause of their rejections?
Read the debug output.
(267) EXPAND {nt}%{1} (267) --> {nt}1DD9FC26BF0FCD74413AF390A74F559B (267) Password-With-Header := {nt}1DD9FC26BF0FCD74413AF390A74F559B
That's the first piece of information.
(267) eap_md5: Cleartext-Password is required for EAP-MD5 authentication
That's the second piece of information.
You can't do EAP-MD5 with NT hashed passwords.
For details, see:
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html