LDAP/MSCHAP

[Sven Hartge]

Whitlow, Michael <mwhitlow at bumail.bradley.edu> wrote:

> I am really close to a successful Freeradius implementation for 802.1X
> wireless using LDAP authentication on the back end. 

Nope, you are not very close.

You _cannot_ use any LDAP authentication (via binding with a DN to the
LDAP server) with any CHAP authentication. This will never work. 

You cannot use LDAP as an authentication oracle here, you have to use it
more like a database.

See http://deployingradius.com/documents/protocols/oracles.html, quote:

"An authentication oracle is a system where the RADIUS server does not
perform the authentication itself, but instead passes the users
authentication credentials to another system. "

This does NOT work with MSCHAP, since the RADIUS server _does not have_
the complete authentication credentials in this case, it is missing the
password. The only thing it has, is the hashed version, the so called
"challenge".

> Here is what I have:

> -          RADTEST / clear text Freeradius password from "users" file /
> WORKS GREAT

Works because of the cleartext password.

> -          Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / clear text
> Freeradius password from "users" file / WORKS GREAT

Works because of the cleartext password.

> -          RADTEST / LDAP credentials / WORKS GREAT

Works, because this uses PAP, which does _not_ need a cleartext password
on the RADIUS server, because radtest supplies a cleartext password
itself in the RADIUS packet (inside attribute User-Password) and the
servers ldap modules then can use this information to bind to the LDAP
server using the username and the supplied password from radtest.

CHAP does _not_ work like this.

> -          Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / LDAP
> credentials / NO GO

Does not work, because you don't have any cleartext password in the
RADIUS server, because your LDAP setup does not provide one.

And before you ask: no, just reading userPassword from the LDAP server
will not help, because in 99.9% this is a crypted password, mostly
hashed using SHA1.

> Here is the debug output. I have read others online with these symptoms
> but nothing I have found yet will help me. 

This is untrue. This comes up every fscking time any one tries to use
LDAP and MSCHAP. It is a common error.

> [mschapv2] +- entering group MS-CHAP {...}

> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.

> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.

You will need to do the following:

a) setup a special user inside your LDAP tree for freeradius. This
special user needs to have the correct permissions to read an attribute
with the cleartext password of any user.

b) configure this special user in {confdir}/modules/ldap, search
for "identity"

c) change password_attribute to the cleartext-password attribute you
are using if it is not userPassword. (I strongly recommend using a
different password attribute for your users, but the default is OK too,
if you don't mind having the main password for a user being in cleartext
inside your LDAP tree.)

This way FreeRADIUS logs into the LDAP server using its own credentials,
searches for the username, reads the cleartext password and _THEN_ the
mschapv2 module is able to work.

This is the _only_ way to get MSCHAPv2 to work with LDAP.
And this has been discussed in this list every time anyone tried to tie
LDAP and FreeRADIUS.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.