802.1x ->Radius ->Ldap

John Dennis jdennis at redhat.com
Fri Jun 18 16:14:33 CEST 2010

On 06/18/2010 02:01 AM, Alan DeKok wrote:
> Kyle Plimack wrote:
>> I have pap working (i.e.  I ran radtest and got an access-accept).
>> I don’t want to configure certs on each of my hosts for each of my
>> clients, so I’d like to use PEAP/msChapV2 so that dot1x clients are
>> prompted for and username/password.
>> According the the deployingradius.com guide, once pap is working,
>> mschapv2 should “just work”.  It doesn’t.
>    Your debug output shows you are using PEAP.  That is *not* MSCHAPv2.
>> I’ve put the log on pastebin where it is formatted in a more friendly way
>> http://pastebin.com/9tSjQW1f
>    You have added "ldap" to the "inner-tunnel" section.  That's good.
> You haven't read the WARNING in the debug output, as pointed out by
> John.  That's bad.
>    The server NEEDS a "known good" password in order to authenticate the
> user.  The LDAP server didn't supply one.  Ensure that that LDAP server
> returns a password.  It *will* work.

Do an ldapsearch on the command line for the user to see what is getting 
returned to radius. Look for the password attributes, are they there? Is 
there a cleartext password rather than just hashes? Does the cleartext 
password attribute in ldap match the password attribute in your radius 
ldap config (by default it's userPassword). Does your 
/etc/raddb/ldap.attrmap file have this line?

checkItem   Cleartext-Password      userPassword

Don't forget to put an ACL on the password attributes in ldap, you don't 
want others to be able to read them! If you don't want to store 
cleartext passwords you'll need to restrict the protocols you support.

John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list