OpenLDAP+FreeRadius Encryption

Alan DeKok aland at
Tue Feb 2 22:13:53 CET 2016

On Feb 2, 2016, at 4:06 PM, Greg Mischel Smith <gregms at> wrote:
> I'm sorry if I caused confusion, but getting this to work in
> plain/clear-text has never been an issue. Yes I've done plenty of
> radtest, I've read lots and lots of threads, but I was still having
> trouble and had specific questions so I came here.

  You should make it clear what you've done, and why.  When you post a message where the server complains about "No Cleartext-Password", that makes it look like you haven't bothered reading the server output.

> My desire is to use encrypted passwords in OpenLDAP and somehow make
> this work.

  This is pointed to from the Wiki, among other places.

> GTC seems to be the only option but Android and Mac (in
> particular) keep trying to choose mschapv2.

  Did you configure those systems to use GTC?

> From the thread so far, I
> was getting the impression I should be able to make it work so that's
> what I was trying.

  "Just make it work" is not a thing computers do.

> Maybe I misunderstood, but I thought what was being
> said was to just set the default in the eap file in the PEAP section
> to GTC.

  Yes.  That works to set the default eap type.  BUT the supplicant can ask for another EAP type.

> But if I do an encrypted or unencrypted password, it tries
> mschapv2 first (despite the default in eap being set to GTC). Am what
> I'm doing practical and possible?

  Yes.  Configure the supplicant to use GTC.  Configure the server to use GTC.

  If you just configure one end, it won't work.  BOTH have to be set to use GTC.

  Alan DeKok.

More information about the Freeradius-Users mailing list