Yet Another PEAP-MSCHAPV2 problem

Alex Moen alexm at ndtel.com
Tue Sep 22 00:06:29 CEST 2015


Hi Alan,

Yeah, I figured that out once I found that I was barking up the wrong... 
um... branch.  I have modified my config to look for the full 
user at domain, as it is in our UIDs.

Thanks for the link, I will read through that.  Half the battle is 
finding the proper information.  I am changing to use the Samba NT 
Password field, since I'm using MSCHAPv2 and this is the only field 
(other than a cleartext password field) that will work.  Still running 
into issues, though, and now it's quitting time...

Thanks!!!

Alex


On 09/21/2015 04:55 PM, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> of the differences between the "branches" of the directory tree, is
>> that the incorrect one is using Crypt passwords, and the correct one
>> is using SSHA passwords.  Seems that the SSHA passwords are not
>> working while the Crypt passwords do.
>
> well, as others have pointed out, theres an issue with the format of
> the name too.  uid=xxxxx must match, you cant look for uid=user and
> expect uid=user at realm to match  - so you may want to vary your ldap
> query based on the username - perhaps do a user-name check if theres
> a realm thats not handled properly?
>
> how does your LDAP server present the password? LDAP is not an authentication
> system, its an 'oracle' of values - so you may need to tell FreeRADIUS what
> format the reply value is - read the LDAP and FreeRADIUS password format docs
>
> eg http://wiki.freeradius.org/modules/rlm_ldap
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-- 
Alex Moen
NSTII
North Dakota Telephone Company
701-662-6481


More information about the Freeradius-Users mailing list