PEAP/EAP-MSCHAPv2 with OpenLDAP
Alan DeKok
aland at deployingradius.com
Thu Aug 3 21:47:36 CEST 2017
On Aug 3, 2017, at 6:33 PM, mr mh1113 <mrmh1113 at gmail.com> wrote:
>
> Well, it's not as easy as one might think.
It should be simple if you use a recent version, and standard LDAP schemas. Despite various complaints, we *do* try to make it simple to configure the user.
> MD4 hash has 32 characters, it's hex number so that means 2 characters = 1
> byte. 32 / 2 = 16 bytes and this "length" is expected.
> Another 8 bytes (32 + 8 = 40) is header {nthash} with curled brackets
No... that's not an NT password. That's an NT password with magic LDAP crap pre-pended to it.
> including. I've tried {nt} header and blank header with no success.
How about no header?
> It seems that FreeRadius interprets value in my custom LDAP attribute as
> plain text not hex number.
So... you created a custom LDAP attribute / schema, and are surprised that FreeRADIUS doesn't magically figure out what you mean?
> LDAP attribute is type "text".
>
> Custom LDAP attribute contains text value E217DE3A51C1329B751A28B9792F42DB.
Then pass that text value directly into the NT-Password attribute. It *will* work.
If the hash you give above is 32 characters long, and FreeRADIUS expects a 32-character hash... then it should be straightforward to connect the two.
> There was a thread about similar problem
> https://github.com/FreeRADIUS/freeradius-server/issues/679
> I use FreeRadius 3.0.4 from CentOS 7 with backported fixes from upstream.
Use 3.0.15. Please. 3.0.4 is *years* out of date.
Alan DeKok.
More information about the Freeradius-Users
mailing list