802.1X PEAP / MSCHAPv2 (with nt-password)
Phil Mayers
p.mayers at imperial.ac.uk
Fri Nov 30 19:16:04 CET 2012
On 30/11/12 16:39, Thomas Dupas wrote:
> Dear,
>
> at the risk of falling in a known trap.
> I've read enough statements that one can't do mschapv2 with openldap,
> unless you store the passwords in clear-text. I know that
That's not true.
You need the NT hash to perform mschapv2. Therefore, you either need the
actual nt hash, or the plaintext password (and FreeRADIUS will derive
the NT hash for you).
>
> But those same sources also state that this isn't true when you have a
> (MS) hash available for those users, like NT-/LM-PASSWORD, which I have.
>
> Yet my configuration still seems to expect clear-text passwords.
> From the debug output (cleaned):
>
> [ldap] looking for check items in directory...
> [ldap] userPassword -> User-Password == "{crypt}<cryptpasswd>"
> [ldap] userPassword -> Password-With-Header == "{crypt}<cryptpasswd>"
> [ldap] sambaNTPassword -> *NT-Password == 0x<hash>*
> [ldap] sambaLMPassword -> *LM-Password == 0x<hash>*
>
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
That just says it can't *create* them. If they're present already,
that's fine.
> [mschap] Creating challenge hash with username: <userid>
> *[mschap] Told to do MS-CHAPv2 for <userid> with NT-Password*
> *[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.*
Hmm.
> *[mschap] FAILED: MS-CHAP2-Response is incorrect*
> ++[mschap] returns reject
>
> What am I missing in the configuration? It has the hashed passwords,
> seamingly mapped to the correct attributes, yet it still says it doesn't
> have them.
It should work in theory. I'd need to see a full debug.
> config is as stock as possible, using
> http://vuksan.com/linux/dot1x/802-1x-LDAP.html and
> http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius as guidelines.
I haven't read those docs, but most of the 3rd party documentation on
the internet is either wrong or out-of-date.
Follow the docs that come with the server or on the FreeRADIUS wiki.
>
> See pastebin for the entire configuration, since one can't post
> attachments to a mailing list. http://pastebin.com/d6FWVS1F
The config is not useful. What's useful is a full debug, gathered with
"radiusd -X", showing a failing auth.
More information about the Freeradius-Users
mailing list