Hi Alan, That same wiki says 'The ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user.' I might be mis-understanding as im new to Radius, but that doesnt sound to positive. Anyway... I'm hoping to find a workaround So I checked my sites-enabled/default and it does have the LDAP module listed: (I striped out the comments and highlighted the bits I changed) -------------------------------------------------------- authorize { # auth_log chap mschap digest # wimax # IPASS suffix eap { ok = return } # unix *# files* # sql # etc_smbpasswd * ldap* # daily # checkval expiration logintime pap # Autz-Type Status-Server { # # } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # pam unix * Auth-Type LDAP {* * ldap* * }* Allow EAP authentication. eap # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # } # } } -------------------------------------------------------- In addition here is the output of my debug: -------------------------------------------------------- rad_recv: Access-Request packet from host 10.x.x.100 port 62061, id=2, length=50 User-Name = "adamjseed" CHAP-Password = 0x84bafb904d422b61c5bd8dcf5c2d4xxxx # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "adamjseed", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for adamjseed [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> adamjseed [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=adamjseed) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=adamjseed) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}1hkMdaNUxxbUu/hufTrjtQ==" [ldap] looking for reply items in directory... [ldap] user adamjseed authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "adamjseed" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> adamjseed attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 2 to 10.x.x.100 port 62061 -------------------------------------------------------- Any assistant is greatly welcomed. On Mon, Mar 3, 2014 at 9:21 AM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
I have a freeraidus server set up which uses an openLDAP back for its users and groups while it works fine for PAP passwords, it seams most clients are wanting to use CHAP. I have read that CHAP passwords will not work
Where?
however on the faq its says; ' There are however provisions to extract the user password from the LDAP and make it available to the server core and the chap module' (http://wiki.freeradius.org/guide/faq). How is this done/setup?
You configure the LDAP module, and make sure it's listed in sites-enabled/default, in the "authorize" section.
FreeRADIUS will pull the password from the database, and authenticate the user.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html