Hi,
I am trying to make PEAP working with an LDAP/Samba backend and
MSCHAPv2. It works well for the user authentication (they have lm and
nt stored in the LDAP). However, the machine auth is causing issues.
It appears to have only the NT-Password stored in the LDAP. I thought
it should be sufficient for the MSCHAP to handle the auth, is it?
ldap] looking for check items in directory...
[ldap] acctFlags -> SMB-Account-CTRL-TEXT == "[W ]"
[ldap] userPassword -> Password-With-Header == "..."
[ldap] ntPassword -> NT-Password == 0x34343446...242
[ldap] looking for reply items in directory...
[ldap] user host/dti-dahport authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: host/dti-dahport
[mschap] Told to do MS-CHAPv2 for host/dti-dahport with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
My MSCHAP Config :
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
Any thoughts?
Thanks!
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
