Difficulties trying bind as user to openLDAP
Martin Pauly
pauly at hrz.uni-marburg.de
Tue Mar 11 17:53:17 UTC 2025
Am 07.03.25 um 14:44 schrieb Alan DeKok:
> PAP is the best choice.
> You have to update the supplicant to allow EAP-TTLS-PAP.
citing myself 1 hour ago:
>> Agreed. In real life,it turns out that, as a remainder of the MS monopoly,
>> _all_ vendors of WiFi clients MUST support and test MS-CHAPv2 properly to
>> survive commercially -- counterexamples welcome 🙂
>> They MAY support PAP in addition. With a server side not speaking MS-CHAPv2,
>> odds are your life gets harder, especially if you're running a BYOD service.
Depending on the mixture (and number!) of clients, the support effort
caused by not supporting the seemingly ubiquitous MS-CHAPv2 may warrant
some effort on the server side :-( We enhanced our password update procedure
by calculating the NT-Hash ourselves whenever a user changes their password.
We store it in LDAP, FR pulls it to do MS-CHAPv2 without any Microsoft thing involved.
This is 100% reliable, but 10% of the security you really want as NT-Hash is
so easily cracked.
If you stick with PAP, you might want to take a look at
https://codeberg.org/Amebis/GEANTLink for balky Windows clients.
We used this tool around 2017 for a while before we figured out above solution.
The developer is still around, and there seems to be some maintenance activity
on the code.
Cheers, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
D-35032 Marburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4478 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20250311/c1f297d3/attachment-0001.bin>
More information about the Freeradius-Users
mailing list