FreeRADIUS + OpenLDAP + MSCHAPv2
Matt Bernstein
+systems.extlists.freeradius-users at dcs.qmul.ac.uk
Sun Nov 16 14:56:03 CET 2008
On Nov 14 Tim Gustafson wrote:
> I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
The easiest way to install the latest FreeRADIUS on CentOS I know of is to
visit <http://koji.fedoraproject.org/koji/packageinfo?packageID=298>, find
the latest source RPM and rebuild it. It's a small amount of work, but
will stop people saying "upgrade" a lot..
>I'm trying to figure out how to configure FreeRADIUS to authenticate
>against an OpenLDAP server using MSCHAPv2. I Googled a lot of different
>phrases, and came up with some things that were mildly helpful. Right
>now, I have FreeRADIUS authenticating against the LDAP server without
>using MSCHAPv2, but I'm not understanding how to now activate the
>MSCHAPv2 part.
I have it working. You need to check your ldap.attrmap (or whatever you've
set dictionary_mapping to) points at the right LDAP field. I use the
samba schema, so:
checkItem NT-Password sambaNtPassword
Then your debug log should include entries like:
rlm_ldap: sambaNtPassword -> NT-Password == 0x........
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
..but this is OK, since with "mschap" before "ldap" in your authorize{}
block, FreeRADIUS will handle the challenge-response stuff correctly for
MSCHAPv2 using the NT hash from OpenLDAP. Make sure you bind to OpenLDAP
with sufficient privilege to read the NT hash!
HTH
Matt
More information about the Freeradius-Users
mailing list