On Thu, 2005-09-01 at 12:32 +0300, Vilius Šumskas wrote:
Hello,
I'm having trouble authenticating from VPN box through Radius server to LDAP. My VPN uses MS-CHAP challenge/response system for authentification. Packet that comes from VPN to Radius server looks like this:
User-Name = "admin" MS-CHAP-Challenge = 0x45bc0700dd22f6795f77bbe0d986328c MS-CHAP2-Response = 0x0100313396a8ea58cd1155c817c50a00715b0000000000000000b03e5340a5ae3c2ac4e 9408d57eae02fcfdbffab3f983a1b NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.1.1.202
But Radius can't autenticate to LDAP as there is no User-Password attribute in the packet. (rlm_ldap: Attribute "User-Password" is required for authentication).
insert the NT-Password (ntPassword) attribute into ldap user. this attibute is field with a NT hash value example: password: test NT Hash: 0CB6948805F797BF2A82807973B89537
Is there a way to do this authentification and NOT turning MS-CHAP protocol in VPN box? Are there some kind of preauth hooks in Radius?
I'm using freeradius-1.0.1-1.1.RHEL3 with openldap-2.0.27-17 and Netware 6.0 Directory Services.
P.S. I tried to turn MS-CHAP protocol and it works great with PAP or plain-text passwords. So everything is configured to work well with LDAP.