mschap2 over peap, how to use cleartext password defined on the freeradius server instead of using Windows AD?

James J J Hooper jjj.hooper at bristol.ac.uk
Thu Jan 7 20:07:30 CET 2010


On 07/01/2010 18:57, Difan Zhao wrote:
> Greetings!
>
> I did read the “*mschap*” module file and I did see that in order to use
> a *cleartext* password, I need to set “*MS-CHAP-Use-NTLM-Auth := No*”
> however I don’t know where to set it.
>
> I tried to set it in “*hints*” file like the following. I added it to
> the beginning of the file and the rest is just default.
>
> enseo_stb
>
> MS-CHAP-Use-NTLM-Auth := No
>
> The “*enseo_stb*” is the username. I do see that it matched the line in
> the *preprocess* in the debug however the authentication still failed. I
> don’t have this user account set in Windows AD. I do have it set in my
> *users* file.
>
> Enseo_stb Cleartext-Password := "password"
>
> Any advice?? Thank you!!
>

In the config file for your EAP _inner-tunnel_:

server inner-tunnel-server {
authorize {
	...
         update control {
                 MS-CHAP-Use-NTLM-Auth := 0
         }
	mschap
	...
}



... you could use unlang to wrap it in an if statement if you wanted to be 
selective about when to apply it.


-James


-- 
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk          http://www.jamesjj.net
-- 



More information about the Freeradius-Users mailing list