On 10/27/2010 06:18 PM, Maurice James wrote:
How do I do it?
You were kindly given the answer previously by Maurice. But just to reinforce please review the compatibility information here: http://deployingradius.com/documents/protocols/compatibility.html The client is sending mschap, look at the table above, what are the valid password formats for mschap? What authentication mechanisms are valid with SSHA? So you basically have 3 choices: 1) Store cleartext passwords in ldap 2) Store nt hash in ldap 3) Don't support mschap clients Or if AD is available as your ldap use ntlm_auth with AD to support mschap.
Maurice James<midnightsteel@msn.com> wrote:
[ldap] looking for check items in directory... [ldap] userpassword -> User-Password == "{SSHA}5wzxRoUPX/rLkS9hY1HztczPN8u5m/dGDzKvdg=="
This will not work. You need a cleartext password. This SSHA-Hash is only good for PAP, any challenge response method like MSCHAPv2 won't function with this.
[mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for MJames with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject
And this is the result --> reject.
-- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/