I want to implement login for network admins through our OpenLDAP database. I have configured FreeRadius for this purpose and configured RADIUS on the router.
However login is not working as MikroTik is using mschap protocol for login and obviously in openldap we don’t have NT-Password or plaintext password.
Does anyone know some kind of workaround to make this work? Some utilities which can write NT hash for every user and update it when needed, or any other possibilities.
I have tried it with plaintext password, but no luck, freeradius still says that it can’t authenticate the user.
MSCHAP will definitely work against plaintext credentials, if your setup does not it is most likely a FreeRADIUS configuration error - run it with debugging enabled and look at the logs.
Depending on how your password changing is implemented you should be able to incorporate something which will store the NT hash in the schema.
Yes, you were right, the config was not complete in FreeRadius. Documentation is a little bit basic and misleading. I was missing the control statement on the ldap module to assign the Cleartext-Password/NT-Password:
update control {
NT-Password := sambaNTPassword
}
Now I just need to figure out how to update the NT-Password via smbk5pwd and assign “Mikrotik-Group” attribute via group membership