Thanks for the fast answer!
The person who is responsible for the LDAP Server told me that our LDAP does
not send a Password out, for security reasons, but accepts "bindings" with
password (see log with radtest,down).
That means if the LDAP Server would be somehow configured to send out the
Attribute UserPassword in cleartext, it would work with MSCHAP?
Is there definitely at use of MSCHAP no chance to get it work by Radius Server
sends a bind message to LDAP Directory like i did successful in the log with
radtest?
rad_recv: Access-Request packet from host XXXXXXXXXXXXX:32768, id=71, length=58
User-Name = "XXXXXX"
User-Password = "XXXXXXX"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1111
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat: '/var/log/radius/radacct/XXXXXXXXX/auth-detail-20050125'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/XXXXXXXXXXXX/auth-detail-20050125
modcall[authorize]: module "auth_log" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "XXXXXX", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 8
users: Matched DEFAULT at 158
users: Matched DEFAULT at 160
modcall[authorize]: module "files" returns ok for request 8
rlm_ldap: - authorize
rlm_ldap: performing user authorization for XXXXXXX
radius_xlat: '(cn=XXXXXX)'
radius_xlat: 'cn=XXXXX,dc=XXXXXXX,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=XXXXX,dc=XXXXXXXX,dc=de, with filter
(cn=XXXXXX)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user XXXXXX authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 8
modcall: group authorize returns ok for request 8
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 8
rlm_ldap: - authenticate
rlm_ldap: login attempt by "XXXXXX" with password "XXXXXX"
rlm_ldap: user DN: cn=XXXXXX,cn=XXXXX, dc=XXXXXXXX,dc=de
rlm_ldap: (re)connect to XXXX.X.XXXXXX.de:389, authentication 1
rlm_ldap: bind as cn=XXXXXXX,cn=XXXXXXX, dc=XXXXXXX,dc=de/XPasswordX to
XXXXXX.X.XXXXXXXX.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user XXXXXX authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 8
modcall: group Auth-Type returns ok for request 8
Sending Access-Accept of id 71 to XXXXXXXXXXXX:32768
Finished request 8
> [EMAIL PROTECTED] wrote:
> > If i understood it right, the Radius Server should do a bind to LDAP Server
> > with DN and Password provided.
>
> What password? There's no password in MSCHAPv2, and LDAP doesn't do
> MSCHAPv2.
>
> > The success answer from LDAP tells the Radius Server authentication
> > successful finished.
>
> LDAP servers are not authentication servers. RADIUS servers are
> authentication servers. That's the root cause of your confusion.
>
> > Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP
> > directory?
>
> No. See any number of posts on this list about this topic.
>
> LDAP has to provide a clear-text, or NT password to FreeRADIUS.
> FreeRADIUS will then do the work.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
