Difficulties trying bind as user to openLDAP

Martin Pauly pauly at hrz.uni-marburg.de
Tue Mar 11 17:53:17 UTC 2025


Am 07.03.25 um 14:44 schrieb Alan DeKok:
> PAP is the best choice.
> You have to update the supplicant to allow EAP-TTLS-PAP.

citing myself 1 hour ago:
>> Agreed. In real life,it turns out that, as a remainder of the MS monopoly,
>> _all_ vendors of WiFi clients MUST support and test MS-CHAPv2 properly to
>> survive commercially -- counterexamples welcome 🙂
>> They MAY support PAP in addition. With a server side not speaking MS-CHAPv2,
>> odds are your life gets harder, especially if you're running a BYOD service. 

Depending on the mixture (and number!) of clients, the support effort
caused by not supporting the seemingly ubiquitous MS-CHAPv2 may warrant
some effort on the server side :-( We enhanced our password update procedure
by calculating the NT-Hash ourselves whenever a user changes their password.
We store it in LDAP, FR pulls it to do MS-CHAPv2 without any Microsoft thing involved.
This is 100% reliable, but 10% of the security you really want as NT-Hash is
so easily cracked.

If you stick with PAP, you might want to take a look at
https://codeberg.org/Amebis/GEANTLink for balky Windows clients.
We used this tool around 2017 for a while before we figured out above solution.
The developer is still around, and there seems to be some maintenance activity
on the code.

Cheers, Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4478 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20250311/c1f297d3/attachment-0001.bin>


More information about the Freeradius-Users mailing list