Sallee, Stephen (Jake) Jake.Sallee at umhb.edu
Fri Nov 11 00:36:24 CET 2011

Please forgive the interjection, but does anyone know of a helper module like ntlm_auth that would work with LDAP, seems like such a tool would make questions like this a non-issue.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
Fone: 254-295-4658
Phax: 254-295-4221

-----Original Message-----
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] On Behalf Of Sven Hartge
Sent: Thursday, November 10, 2011 5:24 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: LDAP/MSCHAP

Whitlow, Michael <mwhitlow at bumail.bradley.edu> wrote:

> I am really close to a successful Freeradius implementation for 802.1X 
> wireless using LDAP authentication on the back end.

Nope, you are not very close.

You _cannot_ use any LDAP authentication (via binding with a DN to the LDAP server) with any CHAP authentication. This will never work. 

You cannot use LDAP as an authentication oracle here, you have to use it more like a database.

See http://deployingradius.com/documents/protocols/oracles.html, quote:

"An authentication oracle is a system where the RADIUS server does not perform the authentication itself, but instead passes the users authentication credentials to another system. "

This does NOT work with MSCHAP, since the RADIUS server _does not have_ the complete authentication credentials in this case, it is missing the password. The only thing it has, is the hashed version, the so called "challenge".

> Here is what I have:

> -          RADTEST / clear text Freeradius password from "users" file /

Works because of the cleartext password.

> -          Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / clear text
> Freeradius password from "users" file / WORKS GREAT

Works because of the cleartext password.

> -          RADTEST / LDAP credentials / WORKS GREAT

Works, because this uses PAP, which does _not_ need a cleartext password on the RADIUS server, because radtest supplies a cleartext password itself in the RADIUS packet (inside attribute User-Password) and the servers ldap modules then can use this information to bind to the LDAP server using the username and the supplied password from radtest.

CHAP does _not_ work like this.

> -          Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / LDAP
> credentials / NO GO

Does not work, because you don't have any cleartext password in the RADIUS server, because your LDAP setup does not provide one.

And before you ask: no, just reading userPassword from the LDAP server will not help, because in 99.9% this is a crypted password, mostly hashed using SHA1.

> Here is the debug output. I have read others online with these 
> symptoms but nothing I have found yet will help me.

This is untrue. This comes up every fscking time any one tries to use LDAP and MSCHAP. It is a common error.

> [mschapv2] +- entering group MS-CHAP {...}

> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.

> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.

You will need to do the following:

a) setup a special user inside your LDAP tree for freeradius. This special user needs to have the correct permissions to read an attribute with the cleartext password of any user.

b) configure this special user in {confdir}/modules/ldap, search for "identity"

c) change password_attribute to the cleartext-password attribute you are using if it is not userPassword. (I strongly recommend using a different password attribute for your users, but the default is OK too, if you don't mind having the main password for a user being in cleartext inside your LDAP tree.)

This way FreeRADIUS logs into the LDAP server using its own credentials, searches for the username, reads the cleartext password and _THEN_ the
mschapv2 module is able to work.

This is the _only_ way to get MSCHAPv2 to work with LDAP.
And this has been discussed in this list every time anyone tried to tie LDAP and FreeRADIUS.


Sigmentation fault. Core dumped.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list