router, freeradius, freeipa

Alan DeKok aland at
Fri Dec 20 23:22:43 CET 2019

On Dec 19, 2019, at 7:38 PM, Robert <rwt at> wrote:
>  I have a feeling I'm really close to getting this to work. Spent a
> lot of time reading old posts and such. If I don't use mschap it works
> (first try). If I use mschap it doesn't (Second try).

  That's always the same issue: password formats.

  Please read the documentation about what to post to the list:

  We DON'T need to see the output of radclient.  We DON'T need to see the output of tests which work.

> (1) ldap: control:Password-With-Header +=
> '{PBKDF2_SHA256}AAAIAEhOrJwqZkQ2Xq6WP4lVdbpoUu6uUvswCNAcoxTx1yHPt79yzSK
> ZC1pPccla4Pmnkcj1HPeKF6zuWC0srkIND9fiJuG6Q3Npsd8la6B6smIqgt4mI0WhYtY2Us
> dGd2uloy15ST+tK+WO4pZfOJbZ4zI82qbd3zgzeD1QSnT/F0oxLZ4yUcr6aYbSi1/I4KCYP
> 6tJFb9Cnq8eXXbdp6JCpNw1VCn+a9TYrjCPkP+kwglCX28Ovq9zt8VX5K/19PysnChU9vaX
> ZWwbfiTk0rbissyoBcYIzruO73f18zsyWUYiXHpq0GyybK0d8X4ddC5DxRTDilzZ3GuCBUm
> uFNaviktPV66jfoMclpPI1LFRZJjND5T6/xSTTKIyO7GDrERM2HdX1oVElLKzdBCbu0IfhS
> kHw6dcYaJ2cx5DQM/tdv5u'
> ...
> (1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, re-
> writing to Cleartext-Password

  That's pretty clear.

  The passwords are stored in a format that FreeRADIUS doesn't understand.

> (1) mschap: Found Cleartext-Password, hashing to create NT-Password
> (1) mschap: ERROR: Failed generating NT-Password

  Because the Cleartext-Password is *not* that big blob above.

> Please let me know if I can provide anything else that would be useful.
  When you join the list, you get sent an email with a link to the wiki.  The email tells you what we need.

> If there is a guide on how to get dd_wrt, freeradius and freeipa
> working I'd like to see that. I've read a bunch of them so far. This is
> the closest I can get.

  The Wiki actually has pretty good documentation, as does the default configuration files.  It's almost 2020.  We don't recommend reading random web pages that are likely years out of date.

> python3-samba-4.11.3-0.fc31.x86_64            Thu 19 Dec 2019 05:50:53

  We don't need to see lists of RPMs on the system.

  Read this web page.  That page has existed for ~15 years, and documents protocol compatibly:

  The "pap" test fails, because you're forcing "Auth-Type := LDAP".  Which means that the LDAP module uses the users password to do a "bind as user" to LDAP.  So the LDAP server does the authentication.

  LDAP servers do *not* support MS-CHAP authentication.

  Your choices are listed on the web page above.

  Alan DeKok.

More information about the Freeradius-Users mailing list