Porting eduroam from 2 to 3

Alan DeKok aland at deployingradius.com
Wed Sep 27 14:15:03 CEST 2017

On Sep 27, 2017, at 4:52 AM, Olivier <Olivier.Nicole at cs.ait.ac.th> wrote:
> So far, the authorize is OK, but the Auth-Type is set to inner-eap and
> it will not try another LDAP bind in the authentication section:

  Because LDAP bind doesn't work with MS-CHAP.

> (8) ldap_wifi: EXPAND (&(csimAccountPermission=firewall)(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
> (8) ldap_wifi:    --> (&(csimAccountPermission=firewall)(uid=on))
> (8) ldap_wifi: Performing search in "ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" with filter "(&(csimAccountPermission=firewall)(uid=on))", scope "one"
> (8) ldap_wifi: Waiting for search result...
> (8) ldap_wifi: User object found at DN "uid=on,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
> (8) ldap_wifi: Processing user attributes
> (8) ldap_wifi: control:Password-With-Header += '{MD5}something=='

  Read this page:


> (8) inner-eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (8) inner-eap: Calling submodule eap_mschapv2 to process data
> (8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-eduroam
> (8) eap_mschapv2:   authenticate {
> (8) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (8) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
> (8) mschap: Creating challenge hash with username: on at cs.ait.ac.th
> (8) mschap: Client is using MS-CHAPv2

  MD5 hashed passwords won't work with MSCHAP.

> In version2, I used to have:

  And v2 also didn't work with MD5 hashed passwords and PEAP.

  You need to:

a) put clear-text (or nt-hash) passwords into the DB


b) use an EAP method which is compatible with MD5 passwords, such as EAP-TTLS with PAP.

  Pick one.

  Alan DeKok.

More information about the Freeradius-Users mailing list