Maurizio Cimaschi wrote: > Alan DeKok wrote: >> The *client* has to supply the MS-CHAP magic using the LAN-manager >> password. Since the client always chooses NT-hashed passwords... using >> LAN manager passwords is not possible. > > From the README is src/modules/rlm_mschap ... > So it seems more a limit of the server.
No. The server ALREADY can use LM passwords to authenticate users, IF one is supplied, AND the client supplies the LM fields of the MS-CHAP response. Go read the source code to rlm_mschap.c > Could it be possible to see in the debug if the two encrypted pwd are > available ? if thy're there it could be possible to write a patch and, > possibly, to attach directly to the AD (which seems to make that LM pwd > available). You don't need a patch. You can just add the dBCSpwd to ldap.attrmap. But it won't help. Why? Take a look at RFC 2548, and compare MS-CHAP v*1* to MS-CHAP v*2*. There's no LM-Password fields on MS-CHAPv2. And PEAP uses EAP-MSCHAPv2, not v1. Newer versions of Windows also do MS-CHAPv2, not v1. So... the dBCSpwd field will only help if the client is doing MS-CHAPv1. Which means PPP. Sometimes. For very old versions of Windows. Nice, but not very helpful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
