FreeRadius + OpenLDAP + MSCHAP2
Matthew Newton
mcn4 at leicester.ac.uk
Fri Feb 3 11:35:58 CET 2017
On Fri, Feb 03, 2017 at 08:59:12AM +0000, SolidSystems | Alex Grigorescu wrote:
> But the goal is to be able to do user logins using the existing
> paswords without installing any 3rd party software on the
> clients (which is an impossible task).
>
> Is there a way to make FreeRadius authenticate the users against
> OpenLDAP without having ClearText or NT Hash stored passwords?
No, MSCHAPv2 can only work with NT hash or cleartext passwords.
The limitation is the protocols, not FreeRADIUS.
See http://deployingradius.com/documents/protocols/compatibility.html
Your only option with Windows (8 or newer) is to use EAP-TTLS/PAP.
But Windows 7 can't do that without a 3rd party supplicant
installed.
Or, as you've found, either rehash all the passwords, or go one
step better and use EAP-TLS with certificates.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list