On Mar 20, 2023, at 12:44 PM, Matt H <meh1963@gmail.com> wrote:
Hello Alan - I think I described it badly. Our configuration does not use Active Directory. The order is this: supplicant (Mac or Windows) >> FreeRadius (via EAP and PEAP or EAP and MSCHAP) >> FreeIPA ldap server (389DS)
The LDAP server is not returning the clear-text password to FreeRADIUS.
I read the matrix at Deploying RADIUS: Protocol and Password Compatibility <http://deployingradius.com/documents/protocols/compatibility.html>, (lines 4, 5, and 6 first two columns) as supporting such a configuration.
Does your LDAP server store passwords clear-text, or NT hash, *and* return those values to FreeRADIUS? a) no - FreeRADIUS never sees the passwords from LDAP, so it doesn't matter what the web page says b) yes - the debug log shows that the LDAP server isn't returning the password to FreeRADIUS. See the previous line... You can't just look at the web page and go "it's possible". I know it's possible. It also doesn't help to quote the web page to me. I do understand the page, because I wrote it. What you need to understand is that the web page is irrelevant. Because.... The debug output shows that the LDAP server isn't returning a password to FreeRADIUS. Therefore, MS-CHAP won't work. So.... configure the LDAP server to return a clear-text password to FreeRADIUS. Or make it return an NT hash to FreeRADIUS. It will then work. Alan DeKok.