Hello Alexander, the difference is on the default radius config, it calls the ldap module in the authorize section.
You can follow this logic in https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute (it´s based on freeradius 2 but the logic is there) ``` authorize { .... suffix ntdomain .... ldap if (ok) { update control { MS-CHAP-Use-NTLM-Auth := No } } ``` Regards Fabrice Le lun. 31 oct. 2022 à 13:25, Alexander via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hello friends! I need help > > i am testing *local installed freeradius* configuration to work with > freeipa (ldap) on nthash via mschap-v2 > > what did i do for this: > > 1) yum install freeradius-ldap > 2) ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap > 3) change /etc/raddb/mods-available/ldap > > server = ''server.dmosk.local" > identity = 'uid=services,cn=users,cn=accounts,dc=test,dc=com' > password = my_password > base_dn = 'cn=users,cn=accounts,dc=test,dc=com' > update { > ... > control:NT-Password := 'ipaNTHash' > ... > 4)change /etc/raddb/mods-available/eap > ... > default_eap_type = mschapv2 > ... > 5) reload freeradius > 6) TESTING: > radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 > > and get Received *Access-ACCEPT* > > *Question:* > Can anyone tell me how to set up this configuration on packetfence? > I tried to do this, but it didn't work for me: > 1. Create authentication source - LDAP - define server, identity, > password, base_dn, Username Attribute. And checked through the test button > 2. add update control:NT-Password := 'ipaNTHash' to file > /usr/local/pf/raddb/mods-enabled/ldap_packetfence > 3. change default_eap_type = mschapv2 > in /usr/local/pf/raddb/mods-enabled/eap > 4. add to Standard Connection Profile sources ldap > 5. tried adding default and null in tab stripping to Realms - ldap source > 6. TESTING: > radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 > and get: > > Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:56955 > length 61 > MS-CHAP-Error = "\000E=691 R=0 C=1cef2a7d250330ff V=2" > (0) -: Expected Access-Accept got Access-Reject > > I do not understand what the problem is. I also attached the logs of > freeradius running in debug mode(/usr/sbin/freeradius -d > /usr/local/pf/raddb -n auth -fxx -l stdout). See attachment. Pleae help me > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
