Failing to authenticate using FreeRadius(in OpenBSD) + XP as a client +Linksys AP (WRT54v2.2) using peap

Alan DeKok aland at
Sat Aug 16 10:42:22 CEST 2008

Maurizio Cimaschi wrote:
> I checked the example, but it's not clear to me why it is so.

  Because User-Password is the password as entered by the user.
Cleartext-Password is the "known good" password on the server.  They are
*not* the same.

  When you do EAP, there is *no* User-Password attribute in the packets.
 So doing "User-Password == ..." is *wrong*.  There's no User-Password,
so there's nothing to compare to.

> In my envirnoment I authenticate against an LDAP server, so according to
> the ldap.attrmap file the LDAP attribute "userPassword" (which contain
> the password in clear text form) is copied to the check-item
> "User-Password". While no attribute seems copied as check-item
> "Cleartext-Password". Still the mschap module is able to authenticate
> the users.

  That is a historical artifact of the server.  See the big warnings in
debugging mode in 2.0.x.

> Is it done "behind the curtain" by the ldap module ?


> In may environment da LDAP server also is used by samba; so there're
> also LM/NT password available (in fact, some users are not also samba
> users but are authenticed via radius); but while googling about using
> freeradius with LDAP that possibility wasn't mentioned, while I found an
> howto that said to add to ldap.attrmap the line:
> checkItem       User-Password                   userPassword

  Which is wrong.  It should map to Cleartext-Password.

  Alan DeKok.

More information about the Freeradius-Users mailing list