Enterasys Wireless controller with Mgmt user authentication via RADIUS MSCHAP
Alan Alejandro Villaverde
alan.villaverde at gmail.com
Thu Oct 30 18:31:37 CET 2014
Understood! Thanks for your support and time guys!
2014-10-30 11:49 GMT-03:00 Alan DeKok <aland at deployingradius.com>:
> Alan Alejandro Villaverde wrote:
> > The only way I found to make it works is setting the following lines in
> > the user file:
> >
> > vi users:
> >
> > avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"
>
> Don't do that. You were told to not do that. It's not necessary.
> It's wrong.
>
> > It works, but how do you handle 1000 users for example? It turns very
> > difficult to manage the user passwords.
>
> You put the passwords in a database. That's what databases are for,
>
> > For instance, if the user change the password in the linux box, then you
> > need to edit the users file to replicate that password.
>
> i.e. you store the passwords in 2 places, so when the password
> changes, it has to be changed in both places.
>
> That's not a surprise.
>
> > I have running tacacs+ in the same box, and the user only has to use an
> > unique password for radius and tacacs defined by passwd. I am using PAM
> > authentication for this.
>
> I have no idea what that means.
>
> > On the other hand, If I work with PAP I can handle the users like a
> > Linux user, so the managament is easier and it depends on the final
> > user. The user can access the linux box and change his password with a
> > simple passwd and all is replicated for tacacs and freeradius. It is the
> > way how is working today, but I was requested to set MSCHAP
> > authentication due to security audits.
>
> MS-CHAP isn't much more secure than PAP.
>
> > When user try to access wireless controller, he puts his password and
> > then radius checks the password with the passwd file or shadow file
> > without any necesity of "editing radius users file"
>
> MS-CHAP is incompatible with /etc/passwd. It's impossible to use them
> both.
>
> > I think I am missing something regarding how to set MSCHAP
> > authentication, and that radius checks the password without using
> > Cleartext-Password in the USERS file.
>
> The server doesn't care where it gets the password from. It doesn't
> matter if it's the "users" file, a database, or anywhere else.
>
> The server DOES care about the format of the password. MS-CHAP
> requires clear-text passwords, *or* NT hashed passwords. Neither format
> can be stored in /etc/passwd.
>
> It's impossible to "work around" this. Don't even try.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Alan Alejandro Villaverde.
,JL.
j@, Zv
uJ.u at qJ
:LBO:v1
:r1@ MB
G1 rB8Ur ,
r at Ei O .7 @.
:N,:BBO05v,:, :7 u Or
vM at r:E: rqr,: .v X Or
7 at r v at U ,@::: 5 .L M:
YO:2 at OS. . .7: N iP
Y at riBr ,:i::: :q ,q.
qk :ii YO.
iv7r77r iGF :7v7
:u0u. 7Lj ;5k1r7BN
7P552552v: LUM1, 7FUi:..v at B
ik7JMJ. ..,v at rk.
_..._ Y8. vL: .5 at v E.
.' '. ui,N: .G.O@: @
/ _ _ \ .P: J7LEBO Bi
| (o)_(o) | .1 i at B7 .MU
\( ) / 2 :M at u .uMi
//'._.'\ \ :k :U at BOi:vSM2B
// . \ \ 7E at B@B at O8PrMk ;B
|| . \ \ @: @r
|\ : / | EM. ;@
\ `) ' (` /_ .B7 0L
_)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@
) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@
'---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B
:i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141030/a96f83f2/attachment.html>
More information about the Freeradius-Users
mailing list