Hi there I'm trying to configure my Freeradius (v 1.272) to work with an LDAP server (for a mac-based authentication). Unfortunately, switchs of the LAN send only Access-request to the RADIUS with a CHAP password, so I have to choose CHAP authentication. I get the mac address from the LDAP and I map it in Cleartext-Password for the CHAP authentication. LDAP mac addresses are like this "ethernet 00:11:22:33:44" so I have to modify Cleartext-Password before the authentication.
To do this, I have the following configuration: ldap.attrmap: ... checkItem Cleartext-Password dhcpHWAddress ... (dhcpHWAddress being the attribute wich contains the mac-address in the LDAP) ------------------------------------------------------------------------------ sites-enabled/default: authorize{ chap ldap ...} anthenticate{ ... Auth-Type CHAP { #update control { # Cleartext-Password := "%{User-Name}" #} if ( Cleartext-Password =~ /ethernet ([1-9a-zA-Z:]*)/i ) { update control { Cleartext-Password := "%{1}" } } chap }... And the right configuration in the radiusd.conf. My problem is the Cleartext-Password is unknow ("not found") when I want to modify it, but after, during the anthentication, it has its value. Here is the debug (by freeradius -X): ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=XXX,dc=fr, with filter (XXXXX) rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute dhcpHWAddress as RADIUS attribute Cleartext-Password == "ethernet 00:11:XX:XX:XX:XX" rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute dhcpVlan as RADIUS attribute Tunnel-Private-Group-Id:0 = "XXX" rlm_ldap: user 00:11:XX:XX:XX:XX authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP ++? if (Cleartext-Password =~ /ethernet ([1-9a-ZA-Z:]*)/i ) (Attribute Cleartext-Password was not found) rlm_chap: login attempt by "00:11:XX:XX:XX:XX" with CHAP password rlm_chap: Using clear text password "ethernet 00:11:XX:XX:XX:XX" for user 00:11:XX:XX:XX:XX authentication. rlm_chap: Password check failed ... Of course if I remove the # before: #update control { # Cleartext-Password := "%{User-Name}" #} Cleartext-Password takes a new value and all is fine... I don't understand why the Cleartext-Password take a value from the LDAP, then is not found, and finally contains the value from the LDAP for the authentication... Could you help me, please? Thanks pfaf ---------------------------------------------------------------------------- Laposte.net fête ses 10 ans ! Gratuite, garantie à vie et déjà utilisée par des millions d'internautes... vous aussi, pour votre adresse e-mail, choisissez laposte.net. Laposte.net, bien + qu'une messagerie ---------------------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html