On 08/31/2010 10:23 AM, matteo@crs4.it wrote:
Hello all, I'm trying to use Freeradius 21.1.9 EAP-TTLS with MSCHAPv2 as inner authentication against an OpenLDAP server with crypt password encryption scheme.
That is not possible I'm afraid. MS-CHAP requires access to the NT/LM hashes (or plaintext password), or access to a machine which does (domain controller) via the ntlm_auth helper binary. As you can see:
Tue Aug 31 11:12:04 2010 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
Then:
Tue Aug 31 11:12:04 2010 : Info: +- entering group MS-CHAP {...} Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Tue Aug 31 11:12:04 2010 : Info: [mschap] Told to do MS-CHAPv2 for matteo@crs4.it with NT-Password Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
To emphasise this is IMPOSSIBLE; you will either need to store a different password hash, or use a different inner EAP method - probably PAP.