PEAP/EAP-MSCHAPv2 with OpenLDAP

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Aug 3 20:39:17 CEST 2017


> On Aug 3, 2017, at 12:33 PM, mr mh1113 <mrmh1113 at gmail.com> wrote:
> 
> Well, it's not as easy as one might think.
> 
> I am getting this error:
> NT-Password found but incorrect length, expected 16 bytes got 40 bytes.
> Authentication may fail

If you want it to "just work" your password value should be a binary type with no header.

If you'd rather work around your issues...

ldap
if (control:NT-Password =~ /^{.*}(.*)/) {
	update control {
		NT-Password := "0x%{1}"
	}
}

> MD4 hash has 32 characters, it's hex number so that means 2 characters = 1
> byte. 32 / 2 = 16 bytes and this "length" is expected.
> Another 8 bytes (32 + 8 = 40) is header {nthash} with curled brackets

The rest of the server knows nothing about LDAP's predilection for hash prefixes.

> including. I've tried {nt} header and blank header with no success.
> It seems that FreeRadius interprets value in my custom LDAP attribute as
> plain text not hex number.
> LDAP attribute is type "text".

Yes.

> Custom LDAP attribute contains text value E217DE3A51C1329B751A28B9792F42DB.

No, it should contain the binary value.

> There was a thread about similar problem
> https://github.com/FreeRADIUS/freeradius-server/issues/679
> I use FreeRadius 3.0.4 from CentOS 7 with backported fixes from upstream.

I'd strongly recommend using 3.0.15.

http://packages.networkradius.com/centos/7/repo/

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170803/bd762d30/attachment.sig>


More information about the Freeradius-Users mailing list