Matt Juszczak wrote:
Hi all,
We've got our freeradius servers working with LDAP fine, except for
CHAP. Originally, the logs were saying "Invalid user \\user", but we
fixed that by enabling an option in radiusd.conf.
Now, when we dial up without encrypted password enabled, the connection
comes through successfully. However, when we enable the encrypted
password option and try again, we get:
Thu Dec 15 18:12:52 2005 : Auth: Login incorrect (rlm_ldap: empty
password supplied): [username/] (from client 123.123.123.123 port 3088
cli 2125550404)
Its saying the password is empty, but we are indeed using a password.
Does anyone have any ideas? We've followed the instructions in the FAQ
(CHAP above LDAP in the authorize section, no := Auth-Type, etc.).....
it just doesn't seem to want to recognize that a password is being entered.
For the record, no query hits the LDAP server during a CHAP
authentication...... so its obviously something with the config of
freeradius.
You've posted no debugging output or config, so it's difficult to tell, but:
To do CHAP, you must have:
1. The PLAINTEXT password in the LDAP server
2. The Radius server permitted to read that attribute
3. The ldap module configured to put whatever that attribute is
(usually userPassword) into the radius "User-Passord", using the
"password_attribute" option of the ldap module
4. "chap" above "pap" in the authorize (which you've got)
5. "chap" anywhere in authenticate
Thanks for any help!
-Matt
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
