On Jan 8, 2019, at 11:07 AM, Anton Kiryushkin <swood@fotofor.biz> wrote:
Now I read the documentation, but I still don't understand why server choose one method instead of others (I've read about attempts predict).
In most cases, the *client* chooses the authentication method. The server is just configured to allow many different methods.
So, I have next config file and I try to understand why it's don't working: (Unfortunately, I don't understand the reason why it has working for mschapv2 and don't work for eap)
Read the debug log for MSCHAPv2, and see how it's different from EAP.
(291) eap: Peer sent packet with method EAP MD5 (4) (291) eap: Calling submodule eap_md5 to process data (291) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication (291) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed (291) eap: Sending EAP Failure (code 4) ID 8 length 4 (291) eap: Failed in EAP select (291) [eap] = invalid (291) } # authenticate = invalid (291) Failed to authenticate the user (291) Using Post-Auth-Type Reject (291) Post-Auth-Type sub-section not found. Ignoring.
My question is why this client can't log in? I have correct md5-hash in a database which added like "0x06d9ded822ff50138cda74ee2e771082".
The debug log *tells you* why it doesn't work. See the text just above. It tells you what's going wrong, and what the server needs.
The second question is do I have a possibility to check which module has used: eap or mschap. I want to use a correct hash from the database in case mschapv2 modules has been called.
Your best bet is to just use Cleartext-Password, and let the server figure out what to do. Alan DeKok.