Dear,
at the risk of falling in a known trap.
I've read enough statements that one can't do mschapv2 with openldap, unless
you store the passwords in clear-text. I know that
But those same sources also state that this isn't true when you have a (MS)
hash available for those users, like NT-/LM-PASSWORD, which I have.
Yet my configuration still seems to expect clear-text passwords.
>From the debug output (cleaned):
[ldap] looking for check items in directory...
[ldap] userPassword -> User-Password == "{crypt}<cryptpasswd>"
[ldap] userPassword -> Password-With-Header == "{crypt}<cryptpasswd>"
[ldap] sambaNTPassword -> NT-Password == 0x<hash>
[ldap] sambaLMPassword -> LM-Password == 0x<hash>
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: <userid>
[mschap] Told to do MS-CHAPv2 for <userid> with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
What am I missing in the configuration? It has the hashed passwords, seamingly
mapped to the correct attributes, yet it still says it doesn't have them.
config is as stock as possible, using
http://vuksan.com/linux/dot1x/802-1x-LDAP.html and
http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius as guidelines.
See pastebin for the entire configuration, since one can't post attachments to
a mailing list. http://pastebin.com/d6FWVS1F
Br,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
