Definitive Word on FreeRadius/LDAP/EAP Requirements

Ivan Kalik tnt at
Fri Jun 26 16:37:55 CEST 2009

>>> - Some have said EAP and LDAP can't be combined because LDAP requires
>>> plain text passwords here and EAP doesn't play ball in that manner

Ldap "bind as user" authentication can't be used with EAP but that doesn't
mean that you can't use passwords stored on Ldap server.

>> What EAP method are you using... The different EAP methods have
>> different requirements.
>   Well, again, I'm trying to work from a default Freeradius
> installation. The debug output, of course, is many repetitions of
> authorize/authenticate. I assume it's all about establishing the SSL
> session to my device in a lot of those, ending with:
> [peap]     (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> ++[eap] returns handled
>   After that, the last few cycles of authorize/authenticate head in
> the direction of many PEAP references, and, I suspect things finally
> going off the rails here:
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for ldaptest with NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> [eap] Freeing handler
> ++[eap] returns reject
> Failed to authenticate the user.

More debug would be of use. In default configuration ldap is not enabled
in inner-tunnel virtual server. Enable it in inner-tunnel authorize and
see if the password is available then.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list