linux

Compatibility issue between MS-CHAPv2 and ldap base?

There is a bunch of client(MacOS)<->aruba(iap207)<->freeradius(2.2.5)<->ldap(slapd). Radius and Ldap are physically different machines. Ldap stores user passwords in ssha1(+salt). On aruba (iap207), functionality is enabled that allows you to terminate the eap tunnel directly on the access point, and the controller already transmits a pure RADIUS packet encapsulated in udp to the radius.

User-Name = "noc.noc"
1) NAS-IP-Address = 172.16.98.9
2) NAS-Port = 0
3) NAS-Port-Type = Wireless-802.11
4) Calling-Station-Id = "0088653dc372"
5 ) Called-Station-Id = "24f27fcef196"
6) Service-Type = Framed-User
7) Aruba-Essid-Name = "NOC"
8) Aruba-Location-Id = "leo-lv10-ap09-sw0168"
9) Aruba -AP-Group="leo-lv10-cluster-aps"
10) MS-CHAP-Challenge=0x7f3f68430d3da8d4c0c4af**********************
11) MS-CHAP2 -Response = 0x0e4de87a4eced1541ebb4e7224b50fda0000000000000000eb81498b02475cb58********
12) Message-Authenticator = 0x81ae3c61e25ed97fb37caf82c448cb29

This is taken from the radius server logs. Lines 11-12 just indicate that the termination occurred at the point, and the controller has already given the challenge and response to Radius. Here is the snag. On this resource tyts say. that mschap and ssha1 cannot be combined in any way. But my bundle is quite efficient ( as long as eap termination works on the access point ). As I understand it, Radius, based on the challenge / response received, can decrypt and format the password in ssha1 in order to transfer it to ldap and compare it with the original one? Or explain how miraculously this bundle works? Thanks