Recommendation

Phil Mayers p.mayers at imperial.ac.uk
Wed Aug 18 09:03:38 CEST 2010


On 08/17/2010 09:20 PM, Paul Dugas wrote:
> On Tue, Aug 17, 2010 at 4:02 PM, Alan DeKok<aland at deployingradius.com>  wrote:
>>   If you do not have clear-text or NT hashed passwords in your LDAP
>> database, then *no* tool will magically make MS-CHAP work.  The problem
>> is the method used to store the password.  The problem is *not* the tool
>> used to retrieve the password.
>
> If I do have NT hashed passwords in LDAP, is PEAP with ntlm_auth the
> recommendation?

No.

MS-CHAP requires access to the NT hash to execute the 
challenge/response. This means you have 3 options:

  1. Use a datastore containing the NT hash directly. In your case, let 
the "ldap" module fetch the users NT hash, then the "mschap" module 
perform challenge/response.

  2. Use a datastore containing the cleartext password. Fetch the 
cleartext password, generate the NT hash, proceed as above

  NOTE: options 1 & 2 would *not* work if your LDAP server were active 
directory, since AD doesn't permit access to the passwords or hashes.

  3. Hand off the challenge/response to a 3rd party who *does* have 
access to one of the above. This is typically done by a) installing 
Samba b) joining a windows domain/active directory and c) using the 
ntlm_auth helper to pass the challenge/response request to a domain 
controller.


In your case, provided you are using the default configurations, the 
ldap module will fetch the NT hash, and mschap will do the 
authentication. The "ntlm_auth" helper is not applicable; it's only used 
on a samba domain member to pass requests to the domain controller(s).



More information about the Freeradius-Users mailing list