EAP PEAP issues
Martin Pauly
pauly at hrz.uni-marburg.de
Wed Mar 22 21:36:27 UTC 2023
Hi,
> The order is this: supplicant (Mac or Windows) >> FreeRadius (via EAP and
> PEAP or EAP and MSCHAP) >> FreeIPA ldap server (389DS)
If there is no MSCHAP hash (or cleartext PW) in your LDAP backend, there will be no way to make this work.
The "bob" example works because FR has the cleartext PW ready and can do MSCHAP by itsself.
The "farhadtest" example does not because the backend neither has an MSCHAP hash nor a cleartext PW,
just a good (i.e. non-reversible) hash of the PW.
But you could make your Windows clients use EAP/TTLS-PAP instead of PEAP/MSCHAPv2, this _should_ work.
Cheers, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
D-35032 Marburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230322/3d5959f2/attachment.bin>
More information about the Freeradius-Users
mailing list