Closed dmgeurts closed 5 months ago
Hi,
CHAP will only work with clear-text passwords defined in user profiles. There's no way to let LDAP authenticate CHAP. You could perhaps modify your LDAP schema to add a CHAP clear-text password and adjust configuration and/or backend scripts to return that password to the daemon for verification, but I've doubts that that would be worth the effort.
I actually think the issue here is that your device (router, switch, whatever) is configured to use CHAP for authentication. If you absolutely need to use CHAP you can configure user with a dedicated clear-text password:
user demo { password chap = clear whatever }
Cheers,
Marc
That's clear then, so my options are clear text or pap when using LDAP? Indeed I configured the device for chap assuming this to be the safer standard. However, after refreshing myself with TACACS encryption, I see clear text will do just fine.
I'm trying to make sense of this error in the tac_plus-ng logs.
I'm using FreeIPA as LDAP source and auth works against that, so I'm thinking this must be chap specific? What am I missing? Is
pap backend = mavis
required for chap? Do I need to do something specific in my LDAP database?My sanitised config: