802.1x ->Radius ->Ldap

John Dennis jdennis at redhat.com
Fri Jun 18 22:25:32 CEST 2010

On 06/18/2010 02:11 PM, Kyle Plimack wrote:
> Doing an ldapsearch put me on the right track, I had created a user
> ‘radiusd’, but that user did not have the rights to request the
> userPassword.
> The error I am getting now is:
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv2 for kplimack with NT-Password
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> I added an entry to ldap.attrmap, “checkItem Cleartext-Password
> userPassword”
> The Password is not cleartext, but I read somewhere that radius is
> supposed to figure that out automatically from a header. This is what is
> returned:
> rlm_ldap: userPassword -> Cleartext-Password ==
> "{SSHA}xQjX16XbCUSXpiR2y****************"

That's not a clear text password is it?

You can't do MSCHAP with SHA1.

Please look at:


Which password type is compatible with *all* authentication mechanisms?

Which will work with SHA1?

If you have multiple password attributes in ldap per user, for instance 
different hashes and hopefully a cleartext then set the userPassword 
attribute in ldap.attrmap to User-Password and enable auto_header in the 
ldap module config. The ldap will read *every* password attribute 
defined for the user and map them passed on the {} prefix. In the above 
case your prefix was {SSHA} do rlm_ldap will map that to PW_SSHA_PASSWORD.

But you already know from reading the protocol table it won't work with 
MSCHAP, right?

Which type of password works with everything? Look at the table.

What works with MSCHAP? Look at the table.

Now, go back and add the necessary password attributes to your ldap.

John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list