Hello Douglas,
The password that you try to resend is not the encrypted password it s an ascii representation of your encrypted password.
I assume that you need to activate the chap (or pap with a encryption_scheme = crypt) module to be able to authenticate this request.
I don't know about LDAP, but I authenticate this kind of encrypted password with mysql using a scheme like this:
modules {[...]
pap {
encryption_scheme = crypt
}
[...]
chap {
authtype = CHAP
}
[...]}
authorize {
preprocess
auth_log
chap
suffix
# I m using MySQL instead of LDAP ...
sql
}authenticate { Auth-Type LDAP
{
ldap
} Auth-Type CHAP
{
chap
}
}
Hope this can help you.
I'm running into an issue here, and I can't seem to find the forest for the trees. I'm probably overlooking something obvious, and am not searching correctly for the problem.
Our LDAP server is using crypted passwords at the moment.
The router is a cisco 5350. RADIUS is FreeRADIUS 1.0.1-2 on Debian Sarge.
The problem is this: If I pass the radtest client a clear-text password, authentication is successful. If either I pass the client an encrypted password (copied from the logs) or point the 5350 at the radius server, it doesn't work. I verified that the shared secret is correctly matched with what is in the router.
Here is a sample of the password that is being passed:
User-Password = "\240d\351E\3737\025\022\0227,(rest removed)"
Here is the configuration (comments omitted to save space). I have tried with the password_header both set to {CRYPT} and commented out.
ldap { server = "*******" identity = ******** password = ******** basedn = "ou=people,dc=eiu,dc=edu" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = "{CRYPT}" timeout = 4 timelimit = 3 net_timeout = 1 }
authorize { preprocess auth_log suffix ldap }
authenticate { Auth-Type LDAP { ldap } }
Any ideas?
Thanks.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
