Hi Farja, I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it?? If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only. Any workaround? Thanks Wassim. On 4/20/12 10:30 AM, "Fajar A. Nugraha" <l...@fajar.net> wrote: >On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour ><wassim.zaar...@navlink.com> wrote: > >> On 4/20/12 10:15 AM, "Fajar A. Nugraha" <l...@fajar.net> wrote: > >>>Long version: >>>MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either: >>>- Cleartext-Password or NT-Hash available (in LDAP, sql, users file >>>whatever), OR >>>- an active directory >>> >>>If you don't have either, then it won't work. >> >> Hi Farja, >> >> Passwords are stored as clear text in my LDAP, that should make MSCHAPv2 >> work right? > >Yes, if FR can find them. This part of the log says it can't: > >[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter >(uid=pk) >[ldap] looking for check items in directory... >[ldap] looking for reply items in directory... >WARNING: No "known good" password was found in LDAP. Are you sure that >the user is configured correctly? > >You might need to play around with the user used to login to LDAP, as >some systems only give out passwords to admin accounts. Testing manual >LDAP lookup using command line tool (e.g. ldapsearch) helps. If you >CAN get your ldap server to return cleartext password with ldapsearch, >then you should be able to configure FR to get that as well. > >-- >Fajar >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html