Bryan, I'm planning on setting up a system exactly like this in the coming days now that PEAP support is available. If all goes well, I intend to produce a howto to make it easier for other folks. I've been doing some research for this reason, and I've come across the following thread:
http://lists.cistron.nl/pipermail/freeradius-users/2003-March/017366.html Based on that thread it looks to me like you need: password_attribute = "NT-Password" This is then mapped via the ldap.attrmap file to ntPassword (which you should be able to change to whatever ldap attribute you really have the nt password hash stored in). I've not actually tried this myself yet, but perhaps you can tell us the results :) -Matt MNU Internet System Administrator MNU Network Security Administrator --- Original Message Below --- From: "Woods, Bryan" <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: LEAP, LDAP & NT-password Date: Tue, 14 Oct 2003 15:16:00 -0700 O.K., I've almost got this working... The LDAP stores the NT password in a field called 'ntpassword'. It is stored as a standard NT-hash - '8846F7...'. I've modified the LDAP module section so that it uses 'password_attribute = ntpassword'. Now, if I stick 'password' (un-hashed) into the ntpassword attribute in the LDAP, I can authenticate as 'leap_test' (that's my test user) with the password 'password'. However, if I reset the password attribute to the hashed NT password, it fails with: Rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP. So, it seems that my problem has to do with the fact that the leap module isn't aware that the password in the LDAP is hashed as an NT password. My guess is that folks who use a smbpass file to authenticate LEAP would have the same situation. Has anyone else run into this? I will be most grateful to those who can offer suggestions, sympathy, or a cold beer to assist me with this. Bryan Woods Pomona Unified School District -----Original Message----- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 8:12 AM To: [EMAIL PROTECTED] Subject: Re: LEAP, LDAP & NT-password "Woods, Bryan" <[EMAIL PROTECTED]> wrote: > Since my "real" users are in the LDAP, I won't be using the 'users' > file. So where do I define the Auth-Type? And what value should it be > set to? You don't define the Auth-Type. The server will figure it out on its own. > And I'm guessing that I can setup the ldap section of 'modules' to use > the 'password_attribute' in which we store the ntPassword? Does that > sound correct? I don't use LDAP, but it sounds reasonable. Try it and see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
