Problems with 802.1x

alan buxey A.L.M.Buxey at lboro.ac.uk
Tue Nov 20 18:48:44 CET 2012


Hi,
>    So here is a debug again. Like i said, SQL is uncommented on inner-tunnel.

that better - and yes it is uncommented..the debug shows that nicely :-)

>    ++[sql] returns ok

ok

>    [pap] Normalizing MD5-Password from hex encoding

the password is MD5 encrypted.

>    rlm_eap_mschapv2: Issuing Challenge

and thats your problem. 802.1X methods like PEAPv0/MSCHAPv2 (standard microsoft PEAP)
DO NOT send the password to the server. instead, they use a challenge-response method.
which means that you need to be able to KNOW the actual password - so you need to
have a copy of it.

this all comes down to compatability....which, once again, highlights the requirements
to read the documentation - particularly the web site which I have already mentioned:

http://deployingradius.com/documents/protocols/compatibility.html

so....the passwords in DB need to be clear or NT-hash

your current non 802.1X stuff works becaus the captive portal actually sends
the user-password across to the RADIUS server...so it can do an MD5 and see
that it just matches the database value.

alan


More information about the Freeradius-Users mailing list