Help for configuration 3.0.11

Alan DeKok aland at
Wed Sep 28 20:28:17 CEST 2016

On Sep 28, 2016, at 1:21 PM, Philipp Trenz <mail at> wrote:
> I'm trying to configure v3.0.11 and have some problems to understand how freeradius requests the configuration.
> The plan is to process requests via PEAP/MS-CHAPv2 to check MD4-Hashes against NT-Password-Attribute at a LDAP database.

  1) configure theLDAP module
  2) enable it in the raddb/mods-enabled/ directory
  3) test PEAP
  4) it will work.

> As I understand, PEAP gets processed within the outer default-virtual server and this passes the inner MS-CHAPv2 to inner-tunnel. Now I'm not shure if it has to be processed through the mschap-module or through ldap-module. If mschap-module where or when does freeradius get the NT-Password from LDAP? Does the mschap-module trigger the ldap-module?

  The authentication data inside of the TLS tunnel gets passed to the inner-tunnel virtual server.

  There, the LDAP module is queried for the known password.

  Then, the MS-CHAP module uses the known password to authenticate the user.

> In details I want to upgrade a working 2.0.0 configuration to 3.0.11 (and then update to the upcoming 3.0.12 release). Another point I'm struggeling are the mappings of the LDAP attributes. I have the old ldap.attrmap, but don't know how to bring
> checkItem	$GENERIC$			radiusCheckItem
> replyItem	$GENERIC$			radiusReplyItem
> to the new configuration. changing the NT-Password is more simple ;)

  See raddb/mods-available/ldap.  Look for the "update" block in that file.  This is documented.

  Alan DeKok.

More information about the Freeradius-Users mailing list