Recommendation
Alan DeKok
aland at deployingradius.com
Tue Aug 17 22:02:07 CEST 2010
Paul Dugas wrote:
> The settings in NetworkManager on my Fedora Linux laptop, when I
> choose WPA&WPA2-Enterprise and PEAP, allow MSCHAPv2 (default), MD5,
> and GTC for the inner authentication. I see on the protocol
> compatibility table you referenced that only clear-text and ntlm_auth
> are available under PEAP and EAP-MSCHAPv2.
No. MS-CHAP is compatible with the "NT Hash" form, or "NT-Password".
This same form is also used by ntlm_auth.
> I do not have clear-text
> passwords in my LDAP directory so I concluded I needed to look into
> ntlm_auth.
>
> Where did I go wrong?
You have mistaken a tool for a method. "ntlm_auth" is a tool which
gets MS-CHAP to authentication to Active Directory. "NT hash" is a
password hashing method.
If you do not have clear-text or NT hashed passwords in your LDAP
database, then *no* tool will magically make MS-CHAP work. The problem
is the method used to store the password. The problem is *not* the tool
used to retrieve the password.
Alan DeKok.
More information about the Freeradius-Users
mailing list