[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: router, freeradius, freeipa
From: Alan DeKok <aland () deployingradius ! com>
Date: 2019-12-20 22:22:43
Message-ID: 0E3383AF-FB1F-43F6-A409-04AB34DF459E () deployingradius ! com
[Download RAW message or body]
On Dec 19, 2019, at 7:38 PM, Robert <rwt@n-voice.com> wrote:
> I have a feeling I'm really close to getting this to work. Spent a
> lot of time reading old posts and such. If I don't use mschap it works
> (first try). If I use mschap it doesn't (Second try).
That's always the same issue: password formats.
Please read the documentation about what to post to the list:
http://wiki.freeradius.org/list-help
We DON'T need to see the output of radclient. We DON'T need to see the output of \
tests which work.
> (1) ldap: control:Password-With-Header +=
> '{PBKDF2_SHA256}AAAIAEhOrJwqZkQ2Xq6WP4lVdbpoUu6uUvswCNAcoxTx1yHPt79yzSK
> ZC1pPccla4Pmnkcj1HPeKF6zuWC0srkIND9fiJuG6Q3Npsd8la6B6smIqgt4mI0WhYtY2Us
> dGd2uloy15ST+tK+WO4pZfOJbZ4zI82qbd3zgzeD1QSnT/F0oxLZ4yUcr6aYbSi1/I4KCYP
> 6tJFb9Cnq8eXXbdp6JCpNw1VCn+a9TYrjCPkP+kwglCX28Ovq9zt8VX5K/19PysnChU9vaX
> ZWwbfiTk0rbissyoBcYIzruO73f18zsyWUYiXHpq0GyybK0d8X4ddC5DxRTDilzZ3GuCBUm
> uFNaviktPV66jfoMclpPI1LFRZJjND5T6/xSTTKIyO7GDrERM2HdX1oVElLKzdBCbu0IfhS
> kHw6dcYaJ2cx5DQM/tdv5u'
> ...
> (1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, re-
> writing to Cleartext-Password
That's pretty clear.
The passwords are stored in a format that FreeRADIUS doesn't understand.
> (1) mschap: Found Cleartext-Password, hashing to create NT-Password
> (1) mschap: ERROR: Failed generating NT-Password
Because the Cleartext-Password is *not* that big blob above.
> Please let me know if I can provide anything else that would be useful.
When you join the list, you get sent an email with a link to the wiki. The email \
tells you what we need.
> If there is a guide on how to get dd_wrt, freeradius and freeipa
> working I'd like to see that. I've read a bunch of them so far. This is
> the closest I can get.
The Wiki actually has pretty good documentation, as does the default configuration \
files. It's almost 2020. We don't recommend reading random web pages that are \
likely years out of date.
> python3-samba-4.11.3-0.fc31.x86_64 Thu 19 Dec 2019 05:50:53
> PM EST
We don't need to see lists of RPMs on the system.
Read this web page. That page has existed for ~15 years, and documents protocol \
compatibly:
http://deployingradius.com/documents/protocols/compatibility.html
The "pap" test fails, because you're forcing "Auth-Type := LDAP". Which means that \
the LDAP module uses the users password to do a "bind as user" to LDAP. So the LDAP \
server does the authentication.
LDAP servers do *not* support MS-CHAP authentication.
Your choices are listed on the web page above.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic