On Dec 19, 2019, at 12:09 PM, Juntunen, Jarkko <[hidden email] <http://freeradius.1045715.n5.nabble.com/user/SendEmail.jtp?type=node&node=5756527&i=0>> wrote:
Thanks for Your advice. We have run Freeradius in debug mode couple of hours and the problem seems to be ( at least in my opinion) missing of password in case of EAP authentication. And the problem is that I have no clue how to have Cleartext-password out of EAP-MSCHAP auth.
You can't. It's impossible.
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok.
So, that means It'll be also impossible to authenticate with Freeradius and LDAP-server in case in question, if Meraki (Cisco) wifi-endpoints can only use EAP-MSCHAP authentication? Did I got this right? Jarkko Juntunen Partner / Founder / Bit Kompis Bit Kompis AB Tel. +358 44 093 1280 Kiinnostaako 3D-tulostus? <http://bitkompisab.fi/3d.html>
On Dec 19, 2019, at 12:25 PM, Juntunen, Jarkko <jarkko.juntunen@bitkompisab.fi> wrote:
So, that means It'll be also impossible to authenticate with Freeradius and LDAP-server in case in question, if Meraki (Cisco) wifi-endpoints can only use EAP-MSCHAP authentication? Did I got this right?
No, that's not what the web page says. This isn't a limitation of FreeRADIUS. It's how the protocols are designed. *All* RADIUS servers have the same issue. And the solution is the same in all cases. Make sure that the LDAP server has a Cleartext-Password or NT-Password available. Which is exactly what the web page says. I shouldn't need to re-type it in an email message. Alan DeKok.
So, that means It'll be also impossible to authenticate with Freeradius and
LDAP-server in case in question, if Meraki (Cisco) wifi-endpoints can only use EAP-MSCHAP authentication? Did I got this right?
No, that's not what the web page says. This isn't a limitation of FreeRADIUS. It's how the protocols are designed. *All* RADIUS servers have the same issue. And the solution is the same in all cases. Make sure that the LDAP server has a Cleartext-Password or NT-Password available. Which is exactly what the web page says. I shouldn't need to re-type it in an email message.
Alan DeKok.
Doesn't meant to criticise Freeradius. Jus want to know is there a way to get this working or am I banging my head for nothing. So, If we have Cleartext-passwords or NT-passwords available for users in our LDAP-server should it work then, or is there still something to configure on Freeradius side? -Jarkko
On Dec 19, 2019, at 12:50 PM, Juntunen, Jarkko <jarkko.juntunen@bitkompisab.fi> wrote:
So, If we have Cleartext-passwords or NT-passwords available for users in our LDAP-server should it work then, or is there still something to configure on Freeradius side?
Yes, yes, and yes. Yes, that's what the web page says. Yes, that's what my previous message said. Yes. Did I mention that the answer to your question is "YES" ??? I don't understand the need to ask the same question over and over. It's not friendly. It's like someone meeting a magical genie who says that he will answer any 3 questions about anything: past, present, or future. The conversation then goes as follows: guy: Really? genie: Yes! guy: Really? genie: Yes! guy: Really? genie: Yes! genie: Thank you, I've answered your three questions. Please find a way to *believe* the documentation and the email messages. It's not difficult. Alan DeKok.
participants (2)
-
Alan DeKok -
Juntunen, Jarkko