EAP PEAP issues

Martin Pauly pauly at hrz.uni-marburg.de
Wed Mar 22 21:36:27 UTC 2023


> The order is this:  supplicant (Mac or Windows) >> FreeRadius (via EAP and
> PEAP or EAP and MSCHAP)  >> FreeIPA ldap server (389DS)

If there is no MSCHAP hash (or cleartext PW) in your LDAP backend, there will be no way to make this work.
The "bob" example works because FR has the cleartext PW ready and can do MSCHAP by itsself.
The "farhadtest" example does not because the backend neither has an MSCHAP hash nor a cleartext PW,
just a good (i.e. non-reversible) hash of the PW.

But you could make your Windows clients use EAP/TTLS-PAP instead of PEAP/MSCHAPv2, this _should_ work.

Cheers, Martin

   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230322/3d5959f2/attachment.bin>

More information about the Freeradius-Users mailing list