Paul Dugas wrote:
The settings in NetworkManager on my Fedora Linux laptop, when I choose WPA&WPA2-Enterprise and PEAP, allow MSCHAPv2 (default), MD5, and GTC for the inner authentication. I see on the protocol compatibility table you referenced that only clear-text and ntlm_auth are available under PEAP and EAP-MSCHAPv2.
No. MS-CHAP is compatible with the "NT Hash" form, or "NT-Password". This same form is also used by ntlm_auth.
I do not have clear-text passwords in my LDAP directory so I concluded I needed to look into ntlm_auth.
Where did I go wrong?
You have mistaken a tool for a method. "ntlm_auth" is a tool which gets MS-CHAP to authentication to Active Directory. "NT hash" is a password hashing method. If you do not have clear-text or NT hashed passwords in your LDAP database, then *no* tool will magically make MS-CHAP work. The problem is the method used to store the password. The problem is *not* the tool used to retrieve the password. Alan DeKok.