Freeradius and Active directory (An aside)

[Arran Cudbard-Bell]

Nicolas Goutte wrote:
>
> Am 20.05.2008 um 16:05 schrieb Dean, Barry:
>
>> Alan DeKok said:
>>
>>>  It is impossible to use CHAP to authenticate to AD.  You MUST use
>>> MS-CHAP, or PAP.
>>
>> When testing my Radius server with AD and XSupplicant I found that 
>> EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with 
>> CHAP inner auth all failed.
>>
>> So you have explained why EAP-TTLS (CHAP) fails, thanks!
>>
>> So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius 
>> config broken?
>
> As far as I understand, the password for MS-CHAP is MD4 on UTF-16LE. 
> So if you have only a password for MS-CHAP, you do not have a MD5 
> version of the password.
>
That's correct. We don't use AD so didn't have the NT Hash of the users 
password in out LDAP directory. We used transparent credential capture 
on one of our major web applications over a few months to populate the 
NT Password field.

Here is a nice one-liner (well three with the example) in PHP

<?php

$str = 'myPassword'

$hash = 
bin2hex(mhash(MHASH_MD4,mb_substr(mb_convert_encoding($str,'UCS-2LE','auto'),0,128)));

echo $hash;

?>
>
>>
>> ---------------
>> Barry Dean
>> Networks Team
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>
>
> Have a nice day!
>
> Nicolas Goutte
>
>
> extragroup GmbH - Karlsruhe
> Waldstr. 49
> 76133 Karlsruhe
> Germany
>
> Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
> Registergericht: Amtsgericht Münster / HRB: 5624
> Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
>
>
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services (IT Services) 
E1-1-08, Engineering 1, University Of Sussex, Brighton
EXT: +44 1273 873900 | INT: 3900