Hello,
I have a freeradius server that i use to authenticate users before they
access network switches. user passwords reside in an ldap directory with
the following attributes and formats:
userPassword: (CRYPT password)
sambaNTPassword: (NT Hash)
sambaLMPassword: (LM hash)
PAP is choosing automaticaly the NT encryption to validate the password.
Is there a way to force PAP to use the userPassword with the CRYPT
encryption?
PS: i have to keep sambaNTPassword and sambaLMPassword along with
userPassword as check items for other use scenarii.
i'll post the relevant part of my radius log file in case it helps,
thank you.
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{CRYPT}$1$$xkbzS/dF4YU/JKyjA5.36."
[ldap] sambaNtPassword -> NT-Password ==
0x4539463933393235373938463136464345394639333932353739384631364642
[ldap] sambaLmPassword -> LM-Password ==
0x4243333041323738464338383546424538393735438383546424538393735456
[ldap] userPassword -> User-Password ==
"{CRYPT}$1$$xkbzS/dF4YU/JKyjA5.36."
[ldap] looking for reply items in directory...
[ldap] user theUser authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "thepassword"
[pap] Using NT encryption.
[pap] expand: %{User-Password} -> thepassword
[pap] NT-Hash of thepassword = e9f93925798f16fc4c9f93925798f1
[pap] expand: %{mschap:NT-Hash %{User-Password}} ->
e9f93925798f16fc4c9f93925798f1
[pap] User authenticated successfully
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
