On 06/18/2010 02:11 PM, Kyle Plimack wrote:
Doing an ldapsearch put me on the right track, I had created a user
‘radiusd’, but that user did not have the rights to request the
userPassword.
The error I am getting now is:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for kplimack with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
I added an entry to ldap.attrmap, “checkItem Cleartext-Password
userPassword”
The Password is not cleartext, but I read somewhere that radius is
supposed to figure that out automatically from a header. This is what is
returned:
rlm_ldap: userPassword -> Cleartext-Password ==
"{SSHA}xQjX16XbCUSXpiR2y****************"
That's not a clear text password is it?
You can't do MSCHAP with SHA1.
Please look at:
http://deployingradius.com/documents/protocols/compatibility.html
Which password type is compatible with *all* authentication mechanisms?
Which will work with SHA1?
If you have multiple password attributes in ldap per user, for instance
different hashes and hopefully a cleartext then set the userPassword
attribute in ldap.attrmap to User-Password and enable auto_header in the
ldap module config. The ldap will read *every* password attribute
defined for the user and map them passed on the {} prefix. In the above
case your prefix was {SSHA} do rlm_ldap will map that to PW_SSHA_PASSWORD.
But you already know from reading the protocol table it won't work with
MSCHAP, right?
Which type of password works with everything? Look at the table.
What works with MSCHAP? Look at the table.
Now, go back and add the necessary password attributes to your ldap.
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
