802.1x ->Radius ->Ldap
Alan DeKok
aland at deployingradius.com
Fri Jun 18 08:01:18 CEST 2010
Kyle Plimack wrote:
> I have pap working (i.e. I ran radtest and got an access-accept).
> I don’t want to configure certs on each of my hosts for each of my
> clients, so I’d like to use PEAP/msChapV2 so that dot1x clients are
> prompted for and username/password.
>
> According the the deployingradius.com guide, once pap is working,
> mschapv2 should “just work”. It doesn’t.
Your debug output shows you are using PEAP. That is *not* MSCHAPv2.
> I’ve put the log on pastebin where it is formatted in a more friendly way
> http://pastebin.com/9tSjQW1f
You have added "ldap" to the "inner-tunnel" section. That's good.
You haven't read the WARNING in the debug output, as pointed out by
John. That's bad.
The server NEEDS a "known good" password in order to authenticate the
user. The LDAP server didn't supply one. Ensure that that LDAP server
returns a password. It *will* work.
This problem has come up many, many, times before. The solution is
always the same: what we already told you.
Alan DeKok.
More information about the Freeradius-Users
mailing list