Hi,
I have recently moved to using Mikrotik hardware and have really enjoyed configuring the products, but have come upon a stumbling block that I cannot work out.
My setup is that I have openldap running with SSHA hashed passwords for users in the ldap database.
I am also running freeradius as a radius proxy to openldap because Mikrotik does not support ldap and only supports radius, so ok, use freeradius as a proxy.
However when trying to login to the router when radius is activated, the freeradius debugging says that auth type mschap found. Now this sounds wrong, I have not configured mschap on my router, nor do I believe that mschap will work with hashed passwords from openldap as the radius server itself will never have a plaintext password to hash/compare if using mschap.
Storing user passwords in plaintext is an absolute no-go, however using PAP over radsec is fine.
How can I go about setting this situation?
If not, then in future releases can we please have the option of using PAP+radsec instead of mschap for radius login? Or even better, direct ldap login option? It seems bizarre to only have a single option that does not work in a variety of cases for centralized AAA.
Thanks