Hello, I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine. I'm trying to figure out how to configure FreeRADIUS to authenticate against an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and came up with some things that were mildly helpful. Right now, I have FreeRADIUS authenticating against the LDAP server without using MSCHAPv2, but I'm not understanding how to now activate the MSCHAPv2 part. Can anyone point me towards some information about activating MSCHAPv2 in this kind of setup? Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
I'm trying to figure out how to configure FreeRADIUS to authenticate against an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and came up with some things that were mildly helpful. Right now, I have FreeRADIUS authenticating against the LDAP server without using MSCHAPv2, but I'm not understanding how to now activate the MSCHAPv2 part.
Can anyone point me towards some information about activating MSCHAPv2 in this kind of setup?
There is nothing to do. It's already active in default configuration. Ivan Kalik Kalik Informatika ISP
There is nothing to do. It's already active in default configuration.
Really? Because the default config seems to want to use ntlm_auth to authenticate mschapv2 users, which is a samba helper designed to authenticate a user against a samba server, not an OpenLDAP server. I'm thinking what I need is a replacement for ntlm_auth that goes against an OpenLDAP server rather than using the samba libraries, no? Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
There is nothing to do. It's already active in default configuration.
Really? Because the default config seems to want to use ntlm_auth to authenticate mschapv2 users, which is a samba helper designed to authenticate a user against a samba server, not an OpenLDAP server.
ntlm_auth line is commented out by default. Ivan Kalik Kalik Informatika ISP
On Nov 14 Tim Gustafson wrote:
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
The easiest way to install the latest FreeRADIUS on CentOS I know of is to visit <http://koji.fedoraproject.org/koji/packageinfo?packageID=298>, find the latest source RPM and rebuild it. It's a small amount of work, but will stop people saying "upgrade" a lot..
I'm trying to figure out how to configure FreeRADIUS to authenticate against an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and came up with some things that were mildly helpful. Right now, I have FreeRADIUS authenticating against the LDAP server without using MSCHAPv2, but I'm not understanding how to now activate the MSCHAPv2 part.
I have it working. You need to check your ldap.attrmap (or whatever you've set dictionary_mapping to) points at the right LDAP field. I use the samba schema, so: checkItem NT-Password sambaNtPassword Then your debug log should include entries like: rlm_ldap: sambaNtPassword -> NT-Password == 0x........ WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? ..but this is OK, since with "mschap" before "ldap" in your authorize{} block, FreeRADIUS will handle the challenge-response stuff correctly for MSCHAPv2 using the NT hash from OpenLDAP. Make sure you bind to OpenLDAP with sufficient privilege to read the NT hash! HTH Matt
participants (3)
-
Matt Bernstein -
Tim Gustafson -
tnt@kalik.net