FreeRADIUS + OpenLDAP + MSCHAPv2
Alan DeKok
aland at deployingradius.com
Wed Nov 19 00:12:36 CET 2008
Tim Gustafson wrote:
> Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently).
>
> However, upon reading the documentation in modules/ldap, I see this:
...
> So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again?
A lot of the confusion here is terminology. People talk about pulling
a password from a database and doing authentication in RADIUS as
"authenticating against LDAP". This is technically *not* correct.
In short, LDAP doesn't do MS-CHAPv2. You can't "do MS-CHAPv2 against
an LDAP server". You CAN have FreeRADIUS read the clear-text password
from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication.
Thinking of it in this way is the *correct* way. It also has impacts
on attitudes towards network design, requirements, etc. If you think of
it as "doing MS-CHAPv2 against LDAP", it will be difficult to design a
system based on how things really work... because the conceptual model
underlying the design is wrong.
Alan DeKok.
More information about the Freeradius-Users
mailing list