NT/LM password from LDAP (PAP works, MSCHAP doesn't).
Hello. I've working FreeRADIUS installation for 802.1x authentication and authorization using EAP-TLS with passwords - NT/LM hashes - stored in LDAP. And it works nice. Right now I'm deploying (yes. at this particular moment!) IPsec/L2TP VPN which will be utilizing RADIUS via ppp connection. And for PAP it works nice. However MSCHAP doesn't want to work. I'm kinda lost because EAP connection uses MSCHAP(v2) as well and this one works flawlessly. ;-) Am I missing something? I believe it should work. Or it cannot? I've attached FreeRADIUS' logfile. Any pointers/hints much appreciated. Kind regards, -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn]
Lech Karol Pawłaszek wrote:
Right now I'm deploying (yes. at this particular moment!) IPsec/L2TP VPN which will be utilizing RADIUS via ppp connection. And for PAP it works nice. However MSCHAP doesn't want to work. I'm kinda lost because EAP connection uses MSCHAP(v2) as well and this one works flawlessly.
;-) Am I missing something? I believe it should work. Or it cannot?
I've attached FreeRADIUS' logfile. Any pointers/hints much appreciated.
The Access-Request doesn't contain any MS-CHAP attributes. The server cannot do MS-CHAP. Alan DeKok.
On 1/13/10 5:06 PM, Alan DeKok wrote:
Lech Karol Pawłaszek wrote:
Right now I'm deploying (yes. at this particular moment!) IPsec/L2TP VPN which will be utilizing RADIUS via ppp connection. And for PAP it works nice. However MSCHAP doesn't want to work. I'm kinda lost because EAP connection uses MSCHAP(v2) as well and this one works flawlessly.
;-) Am I missing something? I believe it should work. Or it cannot?
I've attached FreeRADIUS' logfile. Any pointers/hints much appreciated.
The Access-Request doesn't contain any MS-CHAP attributes. The server cannot do MS-CHAP.
Thanks! I don't know how I've missed that. The problem was with radiusclient-ng's dictionary.microsoft file. For the reference there is a nice howto on the poptop page: http://poptop.sourceforge.net/dox/skwok/poptop_ads_howto_8.htm Now IPsec/L2TP works with RADIUS (using MS-CHAPv2), which is connected to a LDAP, which stores users' passwords in NT/LM hashes. Great success. ;-) Thanks again Alan for the awesome FreeRADIUS. Kind regards, -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn]
participants (2)
-
Alan DeKok -
Lech Karol Pawłaszek