Hello!
I'm trying to authenticate users from LDAP with FreeRadius by PAP protocol. Passwords are stored in LDAP in NT-hash. It's not my idea, I just have to do it.
When I do
radtest -t pap ....
I see from freeradius -X:
[pap] login attempt with password "n*******W"
[pap] Using clear text password "1D******************************9B"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [user/n***********W] (from client localhost port 0)
Using Post-Auth-Type Reject
So, FreeRadius compares my clear-text password with NT-hash taken from LDAP. Of course they are mismatched and I got a reject. If I'm using this hash as a password, it works.
At same time if I use mschap, it works well:
radtest -t mschap ...
+- entering group MS-CHAP {...}
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
So the question is: how to force PAP to create NT-hash from the given password and compare hash and hash. but not the password and hash?