EAP PEAP issues

Alan DeKok aland at deployingradius.com
Mon Mar 20 18:59:43 UTC 2023

On Mar 20, 2023, at 12:44 PM, Matt H <meh1963 at gmail.com> wrote:
> Hello Alan -
> I think I described it badly.  Our configuration does not use Active
> Directory.
> The order is this:  supplicant (Mac or Windows) >> FreeRadius (via EAP and
> PEAP or EAP and MSCHAP)  >> FreeIPA ldap server (389DS)

  The LDAP server is not returning the clear-text password to FreeRADIUS.

> I read the matrix at Deploying RADIUS: Protocol and Password Compatibility
> <http://deployingradius.com/documents/protocols/compatibility.html>, (lines
> 4, 5, and 6 first two columns) as supporting such a configuration.
  Does your LDAP server store passwords clear-text, or NT hash, *and* return those values to FreeRADIUS?

a) no -  FreeRADIUS never sees the passwords from LDAP, so it doesn't matter what the web page says

b) yes - the debug log shows that the LDAP server isn't returning the password to FreeRADIUS.  See the previous line...

  You can't just look at the web page and go "it's possible".  I know it's possible.  It also doesn't help to quote the web page to me.  I do understand the page, because I wrote it.

  What you need to understand is that the web page is irrelevant.  Because....

  The debug output shows that the LDAP server isn't returning a password to FreeRADIUS.  Therefore, MS-CHAP won't work.  So.... configure the LDAP server to return a clear-text password to FreeRADIUS.  Or make it return an NT hash to FreeRADIUS.

  It will then work.

  Alan DeKok.

More information about the Freeradius-Users mailing list