On Dec 19, 2019, at 7:38 PM, Robert <rwt@n-voice.com> wrote:
I have a feeling I'm really close to getting this to work. Spent a lot of time reading old posts and such. If I don't use mschap it works (first try). If I use mschap it doesn't (Second try).
That's always the same issue: password formats. Please read the documentation about what to post to the list: http://wiki.freeradius.org/list-help We DON'T need to see the output of radclient. We DON'T need to see the output of tests which work.
(1) ldap: control:Password-With-Header += '{PBKDF2_SHA256}AAAIAEhOrJwqZkQ2Xq6WP4lVdbpoUu6uUvswCNAcoxTx1yHPt79yzSK ZC1pPccla4Pmnkcj1HPeKF6zuWC0srkIND9fiJuG6Q3Npsd8la6B6smIqgt4mI0WhYtY2Us dGd2uloy15ST+tK+WO4pZfOJbZ4zI82qbd3zgzeD1QSnT/F0oxLZ4yUcr6aYbSi1/I4KCYP 6tJFb9Cnq8eXXbdp6JCpNw1VCn+a9TYrjCPkP+kwglCX28Ovq9zt8VX5K/19PysnChU9vaX ZWwbfiTk0rbissyoBcYIzruO73f18zsyWUYiXHpq0GyybK0d8X4ddC5DxRTDilzZ3GuCBUm uFNaviktPV66jfoMclpPI1LFRZJjND5T6/xSTTKIyO7GDrERM2HdX1oVElLKzdBCbu0IfhS kHw6dcYaJ2cx5DQM/tdv5u' ... (1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, re- writing to Cleartext-Password
That's pretty clear. The passwords are stored in a format that FreeRADIUS doesn't understand.
(1) mschap: Found Cleartext-Password, hashing to create NT-Password (1) mschap: ERROR: Failed generating NT-Password
Because the Cleartext-Password is *not* that big blob above.
Please let me know if I can provide anything else that would be useful.
When you join the list, you get sent an email with a link to the wiki. The email tells you what we need.
If there is a guide on how to get dd_wrt, freeradius and freeipa working I'd like to see that. I've read a bunch of them so far. This is the closest I can get.
The Wiki actually has pretty good documentation, as does the default configuration files. It's almost 2020. We don't recommend reading random web pages that are likely years out of date.
python3-samba-4.11.3-0.fc31.x86_64 Thu 19 Dec 2019 05:50:53 PM EST
We don't need to see lists of RPMs on the system. Read this web page. That page has existed for ~15 years, and documents protocol compatibly: http://deployingradius.com/documents/protocols/compatibility.html The "pap" test fails, because you're forcing "Auth-Type := LDAP". Which means that the LDAP module uses the users password to do a "bind as user" to LDAP. So the LDAP server does the authentication. LDAP servers do *not* support MS-CHAP authentication. Your choices are listed on the web page above. Alan DeKok.