PEAP/EAP-MSCHAPv2 with OpenLDAP
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Aug 2 22:17:49 CEST 2017
> I have FreeRadius 3 and OpenLDAP and I want to use PEAP + EAP-MSCHAPv2 for
> authentication.
> I have NT-hash stored in a custom LDAP attribute.
>
> I am still finding contradicting information whether that setup is
> supported. Is it?
> If so, is NT-hash == MD4(user_password)?
Not quite, it's the password converted to UTF16-LE encoding and then run through MD4.
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/src/modules/rlm_pap/rlm_pap.c#L995
There's a helpful utility called smbcrypt which is built at part of the server:
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/src/modules/rlm_mschap/smbencrypt.c
you could probably use that to create the hashes.
The steps would be:
- Modify LDAP ACLs so only the RADIUS user can read your custom LDAP attribute (it's pretty much as good as cleartext because MD4 is very much broken).
- Add an entry in the user mapping to map <your custom password attr> := &control:NT-Password
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-available/ldap#L116
- Call LDAP in the inner tunnel server to set the password attributes.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170802/de58c980/attachment.sig>
More information about the Freeradius-Users
mailing list