Johan, LEAP does not work with SHA passwords. It requires either clear-text or NT-style (MD4) passwords.
<from the default radiusd.conf> # Cisco LEAP # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # Hope this helps. Bryan > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, October 24, 2003 7:19 AM > To: [EMAIL PROTECTED] > Subject: LDAP, LEAP and sha-encrypted passwords > > > Hi All, > > I am trying to setup freeradius in such a way that a client > pc can authenticate with LEAP via a CISCO aironet AP 1200 > using an account in LDAP. > > I am so far that my freeradius adds my password (the header > {SHA} is removed succesfully) to the "check items", but when > doing the "get values", it inserts only "{" as password. Due > to this, I get an "incorrect NtChallengeResponse from AP". > > I have been reading all the related topics in the mail > archive but I cannot find the solution. > > I would like to know: > > 1) is it possible to use ldap sha-encrypted passwords for > leap authentication? > > 2) if this is possible, how can I make rlm_ldap get the > correct password when doing the "get values"? > > > > > ***************DEBUG INFO******************* > > ldap_get_values > rlm_ldap: Added password eIBF4griEW456Ds+hv4x5CaI= in check items > rlm_ldap: looking for check items in directory... > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values > rlm_ldap: Adding userPassword as userPassword, value { & > op=21 ldap_get_values > rlm_ldap: looking for reply items in directory... > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values > ldap_get_values ldap_get_values ldap_get_values ldap_get_values > rlm_ldap: user username authorized to use remote access ldap_msgfree > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 5 > rlm_eap: EAP packet type notification id 6 length 40 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated for request 5 > modcall: group authorize returns updated for request 5 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate for request 5 > rlm_eap: EAP packet type notification id 6 length 40 > rlm_eap: EAP Start not found > rlm_eap: Request found, released from the list > rlm_eap: EAP_TYPE - leap > rlm_eap: processing type leap > rlm_eap_leap: Stage 4 > rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP > modcall[authenticate]: module "eap" returns invalid for request 5 > modcall: group authenticate returns invalid for request 5 > auth: Failed to validate the user. > Login incorrect: [username/<no User-Password attribute>] > (from client accesspoint port 37 cli 000e6824e6c3) > > > ***************DEBUG INFO******************* > > > Thanks in advance > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
