On Feb 23, 2019, at 12:58 PM, Phil Grace <phil.grace@hssd.k12.ar.us> wrote:
Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject.
Are you reading the "known good" password from LDAP? Or are you seeing the User-Password to LDAP, and having it verify the password?
I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help
... (15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (15) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
The server didn't get the "known good" password from LDAP. So it can't do the MS-CHAP calculations. And no, you can't pass the MS-CHAP stuff to LDAP. LDAP servers are databases. They don't implement authentication protocols like MS-CHAP. The only solution here is to have the LDAP server return the "known good" password to FreeRADIUS. Alan DeKok.