CHAP/MS-CHAP/MS-CHAPv2 + LDAP problem

Tiago Fernandes l13614 at alunos.uevora.pt
Thu Sep 1 23:16:11 CEST 2005


On Thu, 2005-09-01 at 12:32 +0300, Vilius Šumskas wrote:
> Hello,
> 
> I'm having trouble authenticating from VPN box through Radius server to LDAP.
> My VPN uses MS-CHAP challenge/response system for authentification. 
> Packet that comes from VPN to Radius server looks like this:
> 
> User-Name = "admin"
> MS-CHAP-Challenge = 0x45bc0700dd22f6795f77bbe0d986328c
> MS-CHAP2-Response = 
> 0x0100313396a8ea58cd1155c817c50a00715b0000000000000000b03e5340a5ae3c2ac4e
> 9408d57eae02fcfdbffab3f983a1b
> NAS-Port = 0
> NAS-Port-Type = Virtual
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 10.1.1.202
> 
> But Radius can't autenticate to LDAP as there is no User-Password 
> attribute in the packet. (rlm_ldap: Attribute "User-Password" is 
> required for authentication).
> 

insert the NT-Password (ntPassword) attribute into ldap user. this
attibute is field with a NT hash value

example: 
 password: test
 NT Hash: 0CB6948805F797BF2A82807973B89537

> Is there a way to do this authentification and NOT turning MS-CHAP 
> protocol in VPN box? Are there some kind of preauth hooks in Radius?
> 
> I'm using freeradius-1.0.1-1.1.RHEL3 with openldap-2.0.27-17 and 
> Netware 6.0 Directory Services.
> 
> 
> P.S. I tried to turn MS-CHAP protocol and it works great with PAP or 
> plain-text passwords. So everything is configured to work well with 
> LDAP.
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050901/56012aa5/attachment.pgp>


More information about the Freeradius-Users mailing list