Thanks Arran. My error changed, which is good sign :) I believe I had this before: update { control:Password-With-Header += 'userPassword' control:NT-Password := 'gunthash' } which I changed to this: update { control:Password-With-Header += 'gunthash' } Not the log looks like: (8) ldap : User object found at DN "uid=ml623,ou=People,dc=georgetown,dc=edu" (8) ldap : Processing user attributes (8) ldap : control:Password-With-Header += ''{MD4}6DDDAFA<and so on>'' rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok (8) if ((ok || updated) && User-Password) (8) if ((ok || updated) && User-Password) -> FALSE (8) [expiration] = noop (8) [logintime] = noop (8) WARNING: pap : Found unknown header {{MD4}}: Not doing anything (8) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (8) WARNING: pap : Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x118e6e5211867494 (8) eap : Finished EAP session with state 0x118e6e5211867494 (8) eap : Previous EAP request found for state 0x118e6e5211867494, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) mschap : Found Cleartext-Password, hashing to create LM-Password (8) mschap : Found Cleartext-Password, hashing to create NT-Password (8) mschap : Creating challenge hash with username: ml623 (8) mschap : Client is using MS-CHAPv2 (8) ERROR: mschap : MS-CHAP2-Response is incorrect (8) [mschap] = reject On Mon, Mar 9, 2015 at 3:48 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 9 Mar 2015, at 15:42, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Hello,
Trying to get freeradius working for tls and mschap and ldap based authentication... seems the password is found correctly in LDAP, but fails to be decoded maybe?
the passwords in LDAP look like: {MD4}6DDDA<an so on..>
Map the LDAP attribute to control:Password-With-Header instead of control:NT-Password, the PAP module should then normalise the NT Password string, by stripping off the header, converting the hex to binary, and copying it to control:NT-Password.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html