understanding

Phil Mayers p.mayers at imperial.ac.uk
Thu Mar 29 14:44:57 CEST 2012


On 29/03/12 13:24, Heinrich, Sebastian wrote:
> Hello Everybody,
>
> I have two questions for my understanding. I set up FreeRADIUS to
> authenticate against our Active Directory. I read in the readme that
> this couldn´t be done with the ldap module, so I did it with SAMBA. It
> works fine for MSCHAPv2. But nowhere stands why it couldn’t be done with
> the ldap module. Can anybody give a technical explanation? As I read the
> ldap module can only work with cleartext passwords and eap is encrypted.
> But why can’t it work with. A technical explanation would be nice.

Basically: MS-CHAP is a cryptographic, challenge-response protocol. To 
perform the correct crypto, you need the NT-Hash of the users password.

If you have Active Directory, you can't extract this hash; it is stored 
in the domain controllers, and not visible over LDAP.

Therefore, you have to use Samba/ntlm_auth to "send" the MS-CHAP to a 
domain controller, which does the crypto for you.

> As I wrote I setted FreeRADIUS up to work fine with the Active
> Directory. I configured the eap.conf to work with PEAP and MSCHAPv2.
> When I configured it in this way I don’t need certificates? The
> certificates aren’t checked by the clients or server aren’t they? Do I
> need certificates when I use PEAP with MSCHAPv2 or I am doing something
> wrong?

You need a certificate at the server side. You should make sure your 
clients validate this certificate, otherwise an attacker can impersonate 
you and capture MS-CHAP packets, and perform cryptographic attacks.

You don't need a certificate at the client side.


More information about the Freeradius-Users mailing list