Maurizio Cimaschi wrote:
Alan DeKok wrote:
The *client* has to supply the MS-CHAP magic using the LAN-manager password. Since the client always chooses NT-hashed passwords... using LAN manager passwords is not possible.
From the README is src/modules/rlm_mschap ... So it seems more a limit of the server.
No. The server ALREADY can use LM passwords to authenticate users, IF one is supplied, AND the client supplies the LM fields of the MS-CHAP response. Go read the source code to rlm_mschap.c
Could it be possible to see in the debug if the two encrypted pwd are available ? if thy're there it could be possible to write a patch and, possibly, to attach directly to the AD (which seems to make that LM pwd available).
You don't need a patch. You can just add the dBCSpwd to ldap.attrmap. But it won't help. Why? Take a look at RFC 2548, and compare MS-CHAP v*1* to MS-CHAP v*2*. There's no LM-Password fields on MS-CHAPv2. And PEAP uses EAP-MSCHAPv2, not v1. Newer versions of Windows also do MS-CHAPv2, not v1. So... the dBCSpwd field will only help if the client is doing MS-CHAPv1. Which means PPP. Sometimes. For very old versions of Windows. Nice, but not very helpful. Alan DeKok.