Kyle Plimack wrote: > I have pap working (i.e. I ran radtest and got an access-accept). > I don’t want to configure certs on each of my hosts for each of my > clients, so I’d like to use PEAP/msChapV2 so that dot1x clients are > prompted for and username/password. > > According the the deployingradius.com guide, once pap is working, > mschapv2 should “just work”. It doesn’t.
Your debug output shows you are using PEAP. That is *not* MSCHAPv2. > I’ve put the log on pastebin where it is formatted in a more friendly way > http://pastebin.com/9tSjQW1f You have added "ldap" to the "inner-tunnel" section. That's good. You haven't read the WARNING in the debug output, as pointed out by John. That's bad. The server NEEDS a "known good" password in order to authenticate the user. The LDAP server didn't supply one. Ensure that that LDAP server returns a password. It *will* work. This problem has come up many, many, times before. The solution is always the same: what we already told you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html