PEAP w/ freeradius to LDAP storing ntPassword not working - resolved

schilling schilling2006 at
Fri Nov 5 21:16:32 CET 2010

I am able to have peap/mschpv2 work with ldap nt hash.

radtest -t mschap will not work for peap/mschapv2, the real windows
supplicant, wireless access point will work.

The format in ldap is not relevant, w/ or w/o the preceding 0x will work.

The configuration I changed from default are the following
clients.conf to add testing AP ip and secret
eap.conf to add the real certificate thing etc.
modules/ldap to add the ldap proxy account information.
site-enabled/inner-tunnel - uncomment the ldap line in authorize
  authorize {
	#  The ldap module will set Auth-Type to LDAP if it has not
	#  already been set

Now whenever I try to have a virtual server for another instance, then
it will have the same error as before.

Then I copied the site-enabled/default content and put them within the
virtual server, it's working again. I then try to reduce to the
minimum necessary configuration, the following is for the virtual
server to work

server ldap_ntpassword_1814 {
   listen {
        type = auth
        ipaddr = *
        port = 1814
   listen {
        ipaddr = *
        port = 1815
        type = acct
   authorize {
        eap {
                ok = return
   authenticate {




On Fri, Nov 5, 2010 at 7:12 AM, schilling <schilling2006 at> wrote:
> I asked the ldap admin to change the format of the ntPassword to
> prepend with 0x, now radius -X get the right hash, but it still have
> no "known good" password was found in LDAP. Nevertheless, the
> authorization is ok. What is the right format to put in our ldap
> ntPassword attribute? Should I ignore the error and focus on the
> Auth-Type error?
> I will reinstall 2.1.0 with all default, and try it again.
> Thanks,
> Schilling
> [ldap] looking for check items in directory...
>  [ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure
> that the user is configured correctly?
> [ldap] user sding authorized to use remote access
>  [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok <aland at> wrote:
>> schilling wrote:
>>> Found Auth-Type = EAP
>>>   WARNING: Unknown value specified for Auth-Type.  Cannot perform
>>> requested action.
>>  You have edited the default configuration and broken it.  Don't do that.
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list