EAP PEAP issues
Alan DeKok
aland at deployingradius.com
Mon Mar 20 18:59:43 UTC 2023
On Mar 20, 2023, at 12:44 PM, Matt H <meh1963 at gmail.com> wrote:
>
> Hello Alan -
> I think I described it badly. Our configuration does not use Active
> Directory.
> The order is this: supplicant (Mac or Windows) >> FreeRadius (via EAP and
> PEAP or EAP and MSCHAP) >> FreeIPA ldap server (389DS)
The LDAP server is not returning the clear-text password to FreeRADIUS.
> I read the matrix at Deploying RADIUS: Protocol and Password Compatibility
> <http://deployingradius.com/documents/protocols/compatibility.html>, (lines
> 4, 5, and 6 first two columns) as supporting such a configuration.
Does your LDAP server store passwords clear-text, or NT hash, *and* return those values to FreeRADIUS?
a) no - FreeRADIUS never sees the passwords from LDAP, so it doesn't matter what the web page says
b) yes - the debug log shows that the LDAP server isn't returning the password to FreeRADIUS. See the previous line...
You can't just look at the web page and go "it's possible". I know it's possible. It also doesn't help to quote the web page to me. I do understand the page, because I wrote it.
What you need to understand is that the web page is irrelevant. Because....
The debug output shows that the LDAP server isn't returning a password to FreeRADIUS. Therefore, MS-CHAP won't work. So.... configure the LDAP server to return a clear-text password to FreeRADIUS. Or make it return an NT hash to FreeRADIUS.
It will then work.
Alan DeKok.
More information about the Freeradius-Users
mailing list