Tim Gustafson wrote:
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently).
However, upon reading the documentation in modules/ldap, I see this: ... So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again?
A lot of the confusion here is terminology. People talk about pulling a password from a database and doing authentication in RADIUS as "authenticating against LDAP". This is technically *not* correct. In short, LDAP doesn't do MS-CHAPv2. You can't "do MS-CHAPv2 against an LDAP server". You CAN have FreeRADIUS read the clear-text password from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication. Thinking of it in this way is the *correct* way. It also has impacts on attitudes towards network design, requirements, etc. If you think of it as "doing MS-CHAPv2 against LDAP", it will be difficult to design a system based on how things really work... because the conceptual model underlying the design is wrong. Alan DeKok.