Cleartext-Password not found + CHAP and LDAP

ouioui.bambin ouioui.bambin at
Tue Sep 1 15:36:51 CEST 2009

Hi there

I'm trying to configure my Freeradius (v 1.272) to work with an LDAP server (for a mac-based authentication). Unfortunately, switchs of the LAN send only Access-request to the RADIUS with a CHAP password, so I have to choose CHAP authentication.
I get the mac address from the LDAP and I map it in Cleartext-Password for the CHAP authentication.
LDAP mac addresses are like this "ethernet 00:11:22:33:44" so I have to modify Cleartext-Password before the authentication.

To do this, I have the following configuration:
checkItem Cleartext-Password dhcpHWAddress
(dhcpHWAddress being the attribute wich contains the mac-address in the LDAP)
Auth-Type CHAP {

#update control {
# Cleartext-Password := "%{User-Name}"

if ( Cleartext-Password =~ /ethernet ([1-9a-zA-Z:]*)/i ) {
update control {
Cleartext-Password := "%{1}"

And the right configuration in the radiusd.conf.

My problem is the Cleartext-Password is unknow ("not found") when I want to modify it, but after, during the anthentication, it has its value. Here is the debug (by freeradius -X):

rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=XXX,dc=fr, with filter (XXXXX)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute dhcpHWAddress as RADIUS attribute Cleartext-Password == "ethernet 00:11:XX:XX:XX:XX"
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute dhcpVlan as RADIUS attribute Tunnel-Private-Group-Id:0 = "XXX"
rlm_ldap: user 00:11:XX:XX:XX:XX authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
++? if (Cleartext-Password =~ /ethernet ([1-9a-ZA-Z:]*)/i )
(Attribute Cleartext-Password was not found)
rlm_chap: login attempt by "00:11:XX:XX:XX:XX" with CHAP password
rlm_chap: Using clear text password "ethernet 00:11:XX:XX:XX:XX" for user 00:11:XX:XX:XX:XX authentication.
rlm_chap: Password check failed

Of course if I remove the # before:
#update control {
# Cleartext-Password := "%{User-Name}"

Cleartext-Password takes a new value and all is fine...

I don't understand why the Cleartext-Password take a value from the LDAP, then is not found, and finally contains the value from the LDAP for the authentication...
Could you help me, please?


---------------------------------------------------------------------------- fête ses 10 ans ! 

Gratuite, garantie à vie et déjà utilisée par des millions d'internautes... 
vous aussi, pour votre adresse e-mail, choisissez, bien + qu'une messagerie 

More information about the Freeradius-Users mailing list