FR and PEAP question
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Mon May 26 16:00:04 CEST 2008
Matt Ashfield a écrit :
>
> Hi,
>
> We’re looking into using PEAP with MSChapV2, instead of PAP (don’t
> want to use the SecureW2 client anymore) so are investigating ways to
> store the password in LDAP.
>
> According to
> http://deployingradius.com/documents/protocols/compatibility.html ,the
> options are storing the password in Clear-Text or in an NT Hash
> (ntlm_auth).
>
> In talking with our LDAP people, I was told the following:
>
> SunOne does not support nt-hash passwords. Supported formats are
> CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.
>
> Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5,
> NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and
> SSHA512.
>
This means that your userPassword attribute must contain your password
in the previously mentionned has forms. This userPassword attribute is
used internally by your LDAP directory in order to authenticate your
access (bind) to the LDAP server.
> It sounds to me like if we want to do PEAP/MSChapV2 we’d have to store
> the password in cleartext? I would just like to verify this via this list.
>
Not necessarily. You may _not_ want to use ldap binding as the
authentication process, but only use your LDAP directory as a database
backend in which FR will read a given ldap attribute (different from
'userPassword') and maps it to the NT-Hash version of the user password.
In other words (setup for FR1.7):
* in your LDAP directory entries add a new attribute (that will hold the
NT-Hash version of the user password)
* update the configuration file ldap.attrmap so that the new ldap
attribute maps to the radius NT-Password attribute
* setup your rlm_ldap module and use it in the authorize section (NOT
the authenticate section)
* don't forget to use the mschap module in your authorize section (after
the ldap one) so that the MS-CHAP Authentication will see the encrypted
user password and sets Auth-Type accordingly
Hope this helps,
Thibault
> Any advice is appreciated.
>
> Thanks
>
> Matt
>
> mda at unb.ca
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list