OK. Thanks for the explanation. We also run a Microsoft Active Directory that is storing NT-Passwords. Would this work with FreeRADIUS, mschap and PEAP?
Thanks lje -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, June 14, 2004 1:21 PM To: [EMAIL PROTECTED] Subject: Re: ldap sha1 mschap peap pap "Epp, Ladd J" <[EMAIL PROTECTED]> wrote: > Since I'm still relatively new to FreeRADIUS > authorization/authentication, some clarification on the following > subject would help me out greatly.=A0 I understand that ldap passwords > must be clear to use mschap (Windows XP wireless supplicant using PEAP). > Is this absolutely true? Clear text, or NT-Passwords. > On reading the FAQ (5.11), I get the impression that you can use PAP > passwords to authenticate. And, in radiusd.conf, you can specify a > pap encryption scheme (in my case, my ldap passwords are in sha1). That won't work with PEAP, because the passwords aren't clear-text. > Also, I'm able to bind using the credentials I've entered on the > supplicant side. ... when you're not using xsupplicant to supply the passwords. > My knowledge is limited, but why can't the LDAP authorization be > enough to say, "ok, the user is in the database and the password is > good. Let him/her have access." Why is authorization happening, but > User-Password errors stopping me. Because EAP doesn't provide clear-text passwords, which LDAP needs for binding. And when you try to use EAP for authentication, LDAP is supplying SHA1 passwords, NOT the clear-text password needed by EAP. Use clear-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html