Definitive Word on FreeRadius/LDAP/EAP Requirements

Aaron Mahler amahler at
Fri Jun 26 16:19:29 CEST 2009

On Jun 26, 2009, at 10:00 AM, Arran Cudbard-Bell wrote:

>> - Some have said EAP and LDAP can't be combined because LDAP requires
>> plain text passwords here and EAP doesn't play ball in that manner
> What EAP method are you using... The different EAP methods have  
> different requirements.

  Well, again, I'm trying to work from a default Freeradius  
installation. The debug output, of course, is many repetitions of  
authorize/authenticate. I assume it's all about establishing the SSL  
session to my device in a lot of those, ending with:

[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
++[eap] returns handled

  After that, the last few cycles of authorize/authenticate head in  
the direction of many PEAP references, and, I suspect things finally  
going off the rails here:

Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for ldaptest with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.

   It's another round or two of authorize/auth relating to PEAP and  
tunneling before:

[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this  
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.

   I'd be happy to revert back to a fresh Freeradius install and step  
through this all again in a systematic manner. I just remain uncertain  
on the overall viability of LDAP/EAP in this context due to so many  
contradictory references I've seen about where clear-text needs to  
exist or not exist in the relationship. Some things I've read seem to  
suggest LDAP / EAP can't co-exist here - period. Others seem to  
suggest it works with the right combination of elements, but nothing  
I've tried to replicate from those examples/discussions has worked  
thus far.

  - Aaron

Documenting Democracy:
Aaron's MAME Boxes -

Twitter: halfpress

More information about the Freeradius-Users mailing list