Another LDAP/MSCHAPv2 problem

Alan DeKok aland at deployingradius.com
Thu Feb 9 16:35:25 CET 2012


Francois Gaudreault wrote:
> I am trying to make PEAP working with an LDAP/Samba backend and
> MSCHAPv2.  It works well for the user authentication (they have lm and
> nt stored in the LDAP).  However, the machine auth is causing issues. It
> appears to have only the NT-Password stored in the LDAP.  I thought it
> should be sufficient for the MSCHAP to handle the auth, is it?

  It should.  But machine authentication is... weird.

  If you're running a recent version, maching authentication *should* worl.

> ldap] looking for check items in directory...
>   [ldap] acctFlags -> SMB-Account-CTRL-TEXT == "[W          ]"
>   [ldap] userPassword -> Password-With-Header == "..."
>   [ldap] ntPassword -> NT-Password == 0x34343446...242

  Hmm... that looks a lot like it's ASCII.  i.e. "444..."  Maybe that's
the problem?  You have an ASCII string that's being interpreted as the
NT password.  Instead, it needs to be interpreted as the *printed* form
of the password.

  Make sure it's the correct length (16), and that the password is being
treated as hex.

  One way to do this is to list "pap" last in the authorize section.  It
goes through the various password attributes, and fixes them to be correct.

  Alan DeKok.



More information about the Freeradius-Users mailing list