On 10/27/2010 06:18 PM, Maurice James wrote:
How do I do it?
You were kindly given the answer previously by Maurice. But just to
reinforce please review the compatibility information here:
http://deployingradius.com/documents/protocols/compatibility.html
The client is sending mschap, look at the table above, what are the
valid password formats for mschap? What authentication mechanisms are
valid with SSHA?
So you basically have 3 choices:
1) Store cleartext passwords in ldap
2) Store nt hash in ldap
3) Don't support mschap clients
Or if AD is available as your ldap use ntlm_auth with AD to support mschap.
Maurice James<[email protected]> wrote:
[ldap] looking for check items in directory...
[ldap] userpassword -> User-Password ==
"{SSHA}5wzxRoUPX/rLkS9hY1HztczPN8u5m/dGDzKvdg=="
This will not work. You need a cleartext password. This SSHA-Hash is only good
for PAP, any challenge response method like MSCHAPv2 won't function with this.
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for MJames with NT-Password [mschap]
FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
And this is the result --> reject.
--
John Dennis <[email protected]>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
