NT/LM password from LDAP (PAP works, MSCHAP doesn't).

Lech Karol Pawłaszek ike at szluug.org
Wed Jan 13 22:00:38 CET 2010


On 1/13/10 5:06 PM, Alan DeKok wrote:
> Lech Karol Pawłaszek wrote:
>> Right now I'm deploying (yes. at this particular moment!) IPsec/L2TP VPN
>> which will be utilizing RADIUS via ppp connection. And for PAP it works
>> nice. However MSCHAP doesn't want to work. I'm kinda lost because EAP
>> connection uses MSCHAP(v2) as well and this one works flawlessly.
>>
>> ;-) Am I missing something? I believe it should work. Or it cannot?
>>
>> I've attached FreeRADIUS' logfile. Any pointers/hints much appreciated.
> 
>   The Access-Request doesn't contain any MS-CHAP attributes.  The server
> cannot do MS-CHAP.

Thanks! I don't know how I've missed that. The problem was with
radiusclient-ng's dictionary.microsoft file.

For the reference there is a nice howto on the poptop page:
http://poptop.sourceforge.net/dox/skwok/poptop_ads_howto_8.htm

Now IPsec/L2TP works with RADIUS (using MS-CHAPv2), which is connected
to a LDAP, which stores users' passwords in NT/LM hashes. Great success.

;-) Thanks again Alan for the awesome FreeRADIUS.

Kind regards,

-- 
Lech Karol Pawłaszek <ike>
"You will never see me fall from grace" [KoRn]




More information about the Freeradius-Users mailing list