Hi Farja, I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text) Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it?? If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only. Any workaround? Thanks Wassim. On 4/20/12 10:30 AM, "Fajar A. Nugraha" <list@fajar.net> wrote:
On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour <wassim.zaarour@navlink.com> wrote:
On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list@fajar.net> wrote:
Long version: MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either: - Cleartext-Password or NT-Hash available (in LDAP, sql, users file whatever), OR - an active directory
If you don't have either, then it won't work.
Hi Farja,
Passwords are stored as clear text in my LDAP, that should make MSCHAPv2 work right?
Yes, if FR can find them. This part of the log says it can't:
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You might need to play around with the user used to login to LDAP, as some systems only give out passwords to admin accounts. Testing manual LDAP lookup using command line tool (e.g. ldapsearch) helps. If you CAN get your ldap server to return cleartext password with ldapsearch, then you should be able to configure FR to get that as well.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html