I have FreeRadius 3 and OpenLDAP and I want to use PEAP + EAP-MSCHAPv2 for authentication. I have NT-hash stored in a custom LDAP attribute.
I am still finding contradicting information whether that setup is supported. Is it? If so, is NT-hash == MD4(user_password)?
Not quite, it's the password converted to UTF16-LE encoding and then run through MD4. https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/src/modules/rlm_... There's a helpful utility called smbcrypt which is built at part of the server: https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/src/modules/rlm_... you could probably use that to create the hashes. The steps would be: - Modify LDAP ACLs so only the RADIUS user can read your custom LDAP attribute (it's pretty much as good as cleartext because MD4 is very much broken). - Add an entry in the user mapping to map <your custom password attr> := &control:NT-Password https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-avail... - Call LDAP in the inner tunnel server to set the password attributes. -Arran