Yet another PEAP/LDAP Question

Phil Mayers p.mayers at imperial.ac.uk
Wed Jan 25 17:39:01 CET 2006


Jon P. Giza wrote:
> Hello all:
> 
> I am trying to setup a 802.1x WiFi authentication system using freeradius.
> My setup is as follows:
> 
> Windows XP SP2 as the supplicant using PEAP/MSCHAPv2
> Cisco Aironet 1231
> Freeradius 1.1.0
> IBM Lotus Domino LDAP
> 
> The process is mostly working - Freeradius binds to LDAP properly, the User
> gets authorized, Freeradius pulls the correct password hash from the Domino
> LDAP server.. But, then the MSCHAP portion fails.  Portion of the log is
> shown below which I believe shows the problem.  
> 
> I am thinking that the problem is that I am not telling Freeradius how to
> hash the supplied password correctly to match the Domino password.  The
> aggravating part is that we are using the exact same Domino LDAP server to
> authenticate our VPN users.  

That's only relevant if the VPN is using MS-CHAP to authenticate, and 
even then only if it's doing it by extracting the hash as opposed to 
"some other" method.

> 
> Full (sanatized) copy of the debug output is here:
> http://www.xbytenetworks.com/debug-log.txt
> Copy of Radiusd.conf is here:  http://www.xbytenetworks.com/radiusd.conf
> 
> Thanks in advance for any help you can offer.
> 
> Jon
> 
> 
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for jon.giza
> radius_xlat:  '(uid=jon.giza)'
> radius_xlat:  'OU=Waukesha,OU=NA,O=MyCo'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in OU=Waukesha,OU=NA,O=MyCo, with filter
> (uid=jon.giza)
> rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check items

That looks like the right format to be an NT hash. However, the default 
radiusd.conf (and yours) says:

# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
#       password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
#  The server can usually figure this out on its own, and pull
#  the correct User-Password or NT-Password from the database.
#
#  Note that NT-Passwords MUST be stored as a 32-digit hex
#  string, and MUST start off with "0x", such as:
#
#       0x000102030405060708090a0b0c0d0e0f
#
#  Without the leading "0x", NT-Passwords will not work.
#  This goes for NT-Passwords stored in SQL, too.

Having said that, I don't see any evidence of this so-called "figuring 
out" in the rlm_ldap source code - it looks to me like it does this:

if password_attribute:
   val = ldap_result_attr(password_attribute)
   if password_header:
     if val.startswith(password_header):
       val = val.remove(password_header)
     else:
       error("no password header found")
   check_items.add("Password", val)

i.e. a straight copy to User-Password with optional removal of a {type} 
header

What you want to do is get the NT hash into the "NT-Password" attribute, 
which you normally do in the ldap.attrmap section. By default this is 
setup to do this:

checkItem       LM-Password                     lmPassword
checkItem       NT-Password                     ntPassword

...but from the looks of it your LDAP has the NT hash unadorned in the 
"userPassword" attribute. So, comment out "password_attribute" in the 
LDAP module, and set this in the ldap.attrmap file:

checkItem NT-Password userPassword




> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user jon.giza authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 5
> modcall: leaving group authorize (returns updated) for request 5
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 5
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
>   Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 5
>   rlm_mschap: Told to do MS-CHAPv2 for jon.giza with NT-Password
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request 5
> modcall: leaving group MS-CHAP (returns reject) for request 5
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns reject for request 5
> modcall: leaving group authenticate (returns reject) for request 5
> auth: Failed to validate the user.
> Login incorrect: [jon.giza/<no User-Password attribute>] (from client
> wifi.myco.com port 0)
>   PEAP: Tunneled authentication was rejected.
>   rlm_eap_peap: FAILURE
>   modcall[authenticate]: module "eap" returns handled for request 5
> modcall: leaving group authenticate (returns handled) for request 5
> Sending Access-Challenge of id 152 to 10.100.224.235 port 1645
>         EAP-Message =
> 0x010800261900170301001b1bb3ec40925325e30990ce3b14a78af7abc1f7222d06716740d2
> ff
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x132496908cd3121e6967d7ddafcdd795
> Finished request 5
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list