Using mschap authentication without EAP
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jul 21 13:18:51 CEST 2006
> dn: cn=Vito Cu,ou=utenti,dc=xxxx,dc=it
> userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9
This is:
userPassword: {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs=
You MUST have plaintext passwords in your LDAP directory to do CHAP.
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as
User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section
of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is
required for authentication. Cannot use "CHAP-Password".
Your NAS submitted a CHAP request. You cannot check CHAP requests by
simple bind to LDAP, only PAP.
You have three choices:
1. Store plaintext passwords in userPassword in LDAP, and use CHAP,
configured like this:
authorize {
preprocess
chap
ldap
}
authenticate {
Auth-Type CHAP {
chap
}
}
2. Store whatever you like in LDAP, configure your NAS to use PAP and
LDAP simple binds, configured like this:
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
3. Store crypted passwords in userPassword, configure your NAS to use
PAP, and do PAP at the server side. Not recommended.
More information about the Freeradius-Users
mailing list