On 06/18/2010 02:01 AM, Alan DeKok wrote:
Kyle Plimack wrote:
I have pap working (i.e. I ran radtest and got an access-accept).
I don’t want to configure certs on each of my hosts for each of my
clients, so I’d like to use PEAP/msChapV2 so that dot1x clients are
prompted for and username/password.
According the the deployingradius.com guide, once pap is working,
mschapv2 should “just work”. It doesn’t.
Your debug output shows you are using PEAP. That is *not* MSCHAPv2.
I’ve put the log on pastebin where it is formatted in a more friendly way
http://pastebin.com/9tSjQW1f
You have added "ldap" to the "inner-tunnel" section. That's good.
You haven't read the WARNING in the debug output, as pointed out by
John. That's bad.
The server NEEDS a "known good" password in order to authenticate the
user. The LDAP server didn't supply one. Ensure that that LDAP server
returns a password. It *will* work.
Do an ldapsearch on the command line for the user to see what is getting
returned to radius. Look for the password attributes, are they there? Is
there a cleartext password rather than just hashes? Does the cleartext
password attribute in ldap match the password attribute in your radius
ldap config (by default it's userPassword). Does your
/etc/raddb/ldap.attrmap file have this line?
checkItem Cleartext-Password userPassword
Don't forget to put an ACL on the password attributes in ldap, you don't
want others to be able to read them! If you don't want to store
cleartext passwords you'll need to restrict the protocols you support.
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
