EAP PEAP issues
Matt H
meh1963 at gmail.com
Mon Mar 20 16:44:42 UTC 2023
Hello Alan -
I think I described it badly. Our configuration does not use Active
Directory.
The order is this: supplicant (Mac or Windows) >> FreeRadius (via EAP and
PEAP or EAP and MSCHAP) >> FreeIPA ldap server (389DS)
I read the matrix at Deploying RADIUS: Protocol and Password Compatibility
<http://deployingradius.com/documents/protocols/compatibility.html>, (lines
4, 5, and 6 first two columns) as supporting such a configuration.
thanks/mh
On Fri, Mar 17, 2023 at 5:56 AM Alan DeKok <aland at deployingradius.com>
wrote:
> On Mar 16, 2023, at 6:17 PM, Matt H <meh1963 at gmail.com> wrote:
> > This command (local user in ..users) works great:
> >
> > radtest -t mschap bob hello 127.0.0.1:18120 0 testing123
> >
> > Comes right back with 'hello bob' as it should. So presumably mschap is
> > working at some level, and Windows connects to it without much fuss and
> > bother.
>
> That's good...
>
> > This command doesn't:
> >
> > radtest -t mschap farhadtest Rambo5201 127.0.0.1:18120 0 testing123
> >
> > It tries to auth against ldap,
>
> LDAP doesn't do MS-CHAP.
>
>
> https://networkradius.com/articles/2021/10/08/authentication-system-and-protocol-compatibility.html
>
> > is *not* working from the CLI, and Windows
> > can't connect (obviously). Is mschap even working? It looks like it
> is,
> > but something else is misconfigured that's blocking external auth.
>
> You can't use LDAP to do MS-CHAP authentication to Active Directory.
> It's impossible.
>
> You must use Samba and ntlm_auth. See mods-available/ntlm_auth for
> documentation.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Death before dishonour,
Nothing before coffee
More information about the Freeradius-Users
mailing list