802.1x ->Radius ->Ldap

Alan DeKok aland at deployingradius.com
Fri Jun 18 08:01:18 CEST 2010

Kyle Plimack wrote:
> I have pap working (i.e.  I ran radtest and got an access-accept).
> I don’t want to configure certs on each of my hosts for each of my
> clients, so I’d like to use PEAP/msChapV2 so that dot1x clients are
> prompted for and username/password.
> According the the deployingradius.com guide, once pap is working,
> mschapv2 should “just work”.  It doesn’t.

  Your debug output shows you are using PEAP.  That is *not* MSCHAPv2.

> I’ve put the log on pastebin where it is formatted in a more friendly way
> http://pastebin.com/9tSjQW1f

  You have added "ldap" to the "inner-tunnel" section.  That's good.
You haven't read the WARNING in the debug output, as pointed out by
John.  That's bad.

  The server NEEDS a "known good" password in order to authenticate the
user.  The LDAP server didn't supply one.  Ensure that that LDAP server
returns a password.  It *will* work.

  This problem has come up many, many, times before.  The solution is
always the same: what we already told you.

  Alan DeKok.

More information about the Freeradius-Users mailing list