Paul Dugas wrote: > The settings in NetworkManager on my Fedora Linux laptop, when I > choose WPA&WPA2-Enterprise and PEAP, allow MSCHAPv2 (default), MD5, > and GTC for the inner authentication. I see on the protocol > compatibility table you referenced that only clear-text and ntlm_auth > are available under PEAP and EAP-MSCHAPv2.
No. MS-CHAP is compatible with the "NT Hash" form, or "NT-Password". This same form is also used by ntlm_auth. > I do not have clear-text > passwords in my LDAP directory so I concluded I needed to look into > ntlm_auth. > > Where did I go wrong? You have mistaken a tool for a method. "ntlm_auth" is a tool which gets MS-CHAP to authentication to Active Directory. "NT hash" is a password hashing method. If you do not have clear-text or NT hashed passwords in your LDAP database, then *no* tool will magically make MS-CHAP work. The problem is the method used to store the password. The problem is *not* the tool used to retrieve the password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html