Tim Gustafson wrote: > Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is > more up-to-date than the CentOS Yum repositories apparently). > > However, upon reading the documentation in modules/ldap, I see this: ... > So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I > missing something again?
A lot of the confusion here is terminology. People talk about pulling a password from a database and doing authentication in RADIUS as "authenticating against LDAP". This is technically *not* correct. In short, LDAP doesn't do MS-CHAPv2. You can't "do MS-CHAPv2 against an LDAP server". You CAN have FreeRADIUS read the clear-text password from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication. Thinking of it in this way is the *correct* way. It also has impacts on attitudes towards network design, requirements, etc. If you think of it as "doing MS-CHAPv2 against LDAP", it will be difficult to design a system based on how things really work... because the conceptual model underlying the design is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
