OK great, now I understand the root cause... 

I have changed my passwords in the ldap (im using openLDAP with phpldapadmin) to be clear text but still getting radius rejected issue.

The log says: Cleartext-Password is required for authentication but it should be?!

rad_recv: Access-Request packet from host 10.x.x.100 port 55524, id=14, length=50
        User-Name = "adamjseed"
        CHAP-Password = 0xf9f798ccef8ac701b1f545d0dda826172a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "adamjseed", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for adamjseed
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> adamjseed
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=adamjseed)
[ldap]  expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=example,dc=com, with filter (uid=adamjseed)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "Password01"
[ldap] looking for reply items in directory...
[ldap] user adamjseed authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Failed to decode Password-With-Header = "Password01"
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "adamjseed" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> adamjseed
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated



On Mon, Mar 3, 2014 at 1:36 PM, Alan DeKok <aland@deployingradius.com> wrote:
Adam Seed wrote:
> Hi Alan,
>
> That same wiki says 'The ldap module can only work with PAP passwords
> since it needs to send the clear text user password to the LDAP server
> to authenticate the user.'

  Where?

> I might be mis-understanding as im new to
> Radius, but that doesnt sound to positive. Anyway... I'm hoping to find
> a workaround

  That text (whatever it is) means that you can only do "bind as user"
when the Access-Request contains User-Password (i.e. PAP).


> So I checked my sites-enabled/default and it does have the LDAP module
> listed:

  OK...

> (I striped out the comments and highlighted the bits I changed)


  Please don't post it here.  It doesn't help.

> In addition here is the output of my debug:

  That's what we need.
>   [ldap] userPassword -> Password-With-Header ==
> "{MD5}1hkMdaNUxxbUu/hufTrjtQ=="

  You're storing passwords in MD5 hashed format.  This is incompatible
with CHAP.

http://deployingradius.com/documents/protocols/compatibility.html

> [chap] Cleartext-Password is required for authentication

  See?  I suggest believing that message.  It'd true.

> Any assistant is greatly welcomed.

  (a) store clear-text passwords in LDAP

  (b) don't use CHAP.

  Pick one.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html