EAP PEAP issues

Matt H meh1963 at gmail.com
Mon Mar 20 20:35:41 UTC 2023


Thank you.  FWIW, quoting the page was more me was trying to figure it out;
it wasn't intended to offend.
Your comments made me realize that freeradius is (to all intents and
purposes) working properly, and that the problem lies with the ldap host.
I'll need to figure that last bit out (your a and b above).  It should be
interesting with FreeIPA, which is notable for not making access to the
NTHash passwords simple.
thanks
/mh


On Mon, Mar 20, 2023 at 11:59 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Mar 20, 2023, at 12:44 PM, Matt H <meh1963 at gmail.com> wrote:
> >
> > Hello Alan -
> > I think I described it badly.  Our configuration does not use Active
> > Directory.
> > The order is this:  supplicant (Mac or Windows) >> FreeRadius (via EAP
> and
> > PEAP or EAP and MSCHAP)  >> FreeIPA ldap server (389DS)
>
>   The LDAP server is not returning the clear-text password to FreeRADIUS.
>
> > I read the matrix at Deploying RADIUS: Protocol and Password
> Compatibility
> > <http://deployingradius.com/documents/protocols/compatibility.html>,
> (lines
> > 4, 5, and 6 first two columns) as supporting such a configuration.
>
>   Does your LDAP server store passwords clear-text, or NT hash, *and*
> return those values to FreeRADIUS?
>
> a) no -  FreeRADIUS never sees the passwords from LDAP, so it doesn't
> matter what the web page says
>
> b) yes - the debug log shows that the LDAP server isn't returning the
> password to FreeRADIUS.  See the previous line...
>
>   You can't just look at the web page and go "it's possible".  I know it's
> possible.  It also doesn't help to quote the web page to me.  I do
> understand the page, because I wrote it.
>
>   What you need to understand is that the web page is irrelevant.
> Because....
>
>   The debug output shows that the LDAP server isn't returning a password
> to FreeRADIUS.  Therefore, MS-CHAP won't work.  So.... configure the LDAP
> server to return a clear-text password to FreeRADIUS.  Or make it return an
> NT hash to FreeRADIUS.
>
>   It will then work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-- 
Death before dishonour,
Nothing before coffee


More information about the Freeradius-Users mailing list