Hi,
I have a question about the problem bellow.
If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ??
Thanks.
Ron Wahler wrote:
You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear.
Ron.
Ron Wahler http://www.positive-logic.net
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue
I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :)
[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>>
On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote:
AJ Grinnell <[EMAIL PROTECTED]> wrote:
Ok, I have peap working with the users file and with mysql, and I
have
radius working with ldap also. But I can not get a user to authenticate against ldap using peap.
The server does not authenticate against LDAP for any EAP type.
See
my previous message to you on this topic.
I have seen that you cant use eap and ldap,
You already asked this question, and I already answered it. If
you
don't remember, read the list archives.
but peap and ldap should work from what I have read.
PEAP is a type of EAP.
the debug that I am seeing is very long, so I have included the
part
where I am seeing an obvious error.
The part where is says it doesn't have a password?
rlm_mschap: No User-Password configured. Cannot create
LM-Password.
rlm_mschap: No User-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
authentication.
You haven't told the server what the users password is. How the heck do you expect it to authenticate anyone?
Alan DeKok.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
