lm_ldap: checking if remote access for test is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns ok for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
Login incorrect: [test/<no User-Password attribute>] (from client localhost port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
I dont know if that error is due to an impossible comporason beetwen hashed password in mschap and clear openldap password or if there is problems fields NT/LM-Password.
2006/6/6, Michael Griego <[EMAIL PROTECTED]>:
I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2. In
this case, MD5 is not involved anywhere. The passwords are hashed
differently. As such, you must either have an NT hashed password
(which is actually a unicode-encoded MD4 hash of the password) or a
cleartext password in your directory.
--Mike
On Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote:
> Hello,
>
> I would like to use PEAP to perfome authentication of wlan users ,
> I choose PEAP because Users and Passwords are in an LDAP Server
> (OPEN-LDAP). According to me PEAP works like this :
>
> Phase 1 :: TLS handshake the server authenticate to the client as a
> trusted radius serveur and a cipher tunel is created.
> Phase 2 :: Login + Password + Domain hashed with MD5 are send to
> the Radius Server which ask LDAP server for password and login.
>
> acording to the doc file : realm_eap , freeradius supports only
> eap-tls (authentication based only on certificates (client +
> server ) lead and eap-MD5 ( according to me even if PEAP use MD5
> hash , the EAP-MD5 is different with no mutual autenthication and
> no TLS handshake )
>
> I dont want to use a full certifcate based solution like EAP-TLS or
> a authentification with no ciphered tunel like with EAP-MD5
>
> Anyone could help me for using PEAP (or at least authentication
> with the two phases described upper) with freeradius ?
>
> thank you.
>
> Ps : sorry for english mistakes :)
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
