I guess I'm making things more complicated than they really are. I started with fresh conf files. I uncommented the tls and peap sections of eap.conf. I now get the following output:
rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user
I hope I included enough of it. Thanks for all your help.
-Barry Stewart
It now failes with the following
Alan DeKok wrote:
Barry Stewart <[EMAIL PROTECTED]> wrote:
I know you need to bind to LDAP with a clear text password. Apparently this isn't possible with eap/peap.
Exactly.
According to the docs you need to extract the password from LDAP
first and then do the comparison from instead of authenticating from
LDAP. Does this mean the passwords in the LDAP directory have to be
stored in plain text?
Or as NT-Passwords (MD4 hashes of the plain-text password)
When I set the Windows XP clients up with ms-chapv2/peap I was able to authenticate from clear text passwords in the users file. I don't know much about ms-chap. Is it a one way encryption algorithm such as MD5
Yes.
I am running radiusd in debugging mode and it seems to be failing with the following:
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
You have told the server to do username/password binding to LDAP, for authentication. Don't do this for PEAP.
I'm guessing the problem is that the password just isn't being sent
in clear text so the module quits.
The problem is also that you're setting Auth-Type to LDAP when you're not supposed to.
Don't set it to anything. The server will figure it out for itself.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
