Maurizio Cimaschi wrote: > I checked the example, but it's not clear to me why it is so.
Because User-Password is the password as entered by the user. Cleartext-Password is the "known good" password on the server. They are *not* the same. When you do EAP, there is *no* User-Password attribute in the packets. So doing "User-Password == ..." is *wrong*. There's no User-Password, so there's nothing to compare to. > In my envirnoment I authenticate against an LDAP server, so according to > the ldap.attrmap file the LDAP attribute "userPassword" (which contain > the password in clear text form) is copied to the check-item > "User-Password". While no attribute seems copied as check-item > "Cleartext-Password". Still the mschap module is able to authenticate > the users. That is a historical artifact of the server. See the big warnings in debugging mode in 2.0.x. > Is it done "behind the curtain" by the ldap module ? No. > In may environment da LDAP server also is used by samba; so there're > also LM/NT password available (in fact, some users are not also samba > users but are authenticed via radius); but while googling about using > freeradius with LDAP that possibility wasn't mentioned, while I found an > howto that said to add to ldap.attrmap the line: > > checkItem User-Password userPassword Which is wrong. It should map to Cleartext-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
