Yes i use PEAP/MsChapv2 , and password in OpenLDAP are stocked in clear mode , but there is a really strange eror while I try an autothentication via EAP-PEAP (MSCHAPv2) here is the output of Freeradius : lm_ldap: checking if remote access for test is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. Login incorrect: [test/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE I dont know if that error is due to an impossible comporason beetwen hashed password in mschap and clear openldap password or if there is problems fields NT/LM-Password. 2006/6/6, Michael Griego <mgriego@utdallas.edu>:
I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2. In this case, MD5 is not involved anywhere. The passwords are hashed differently. As such, you must either have an NT hashed password (which is actually a unicode-encoded MD4 hash of the password) or a cleartext password in your directory.
--Mike
On Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote:
Hello,
I would like to use PEAP to perfome authentication of wlan users , I choose PEAP because Users and Passwords are in an LDAP Server (OPEN-LDAP). According to me PEAP works like this :
Phase 1 :: TLS handshake the server authenticate to the client as a trusted radius serveur and a cipher tunel is created. Phase 2 :: Login + Password + Domain hashed with MD5 are send to the Radius Server which ask LDAP server for password and login.
acording to the doc file : realm_eap , freeradius supports only eap-tls (authentication based only on certificates (client + server ) lead and eap-MD5 ( according to me even if PEAP use MD5 hash , the EAP-MD5 is different with no mutual autenthication and no TLS handshake )
I dont want to use a full certifcate based solution like EAP-TLS or a authentification with no ciphered tunel like with EAP-MD5
Anyone could help me for using PEAP (or at least authentication with the two phases described upper) with freeradius ?
thank you.
Ps : sorry for english mistakes :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html