using userPassword instead sambaNTPassword

Sven Hartge sven at svenhartge.de
Sun Sep 21 02:33:01 CEST 2014


On 19.09.2014 20:26, Nicolás Guerra wrote:

> please forgive my ignorance, I'm new in freeRADIUS, I'm just trying to
> make it work as I'd been asked (users should authenticate with the
> userPassword attr).

You can't.

Unless the userPassword attributed stores the password in plain text, it
is mathematically impossible to get this to work with MS-CHAPv2. And by
saying "impossible" I mean "impossible". It will never work. It can
never work. Stop trying to get it to work.

You have some options:

a) Store the password also in a different attribute in plain text. Use
that instead of the userPassword attribute for MS-CHAPv2.

b) Store the password also in the sambaNTPassword attribute, hashed in
the format it needs to be.

c) Don't use MS-CHAPv2 but PAP. This will not work with any Windows
prior to Windows 8. If you need to support Windows XP/Vista/7 without
additional tools, this is no option for you.

Grüße,
Sven.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140921/1efa427f/attachment.pgp>


More information about the Freeradius-Users mailing list