PEAP/EAP-MSCHAPv2 with OpenLDAP

mr mh1113 mrmh1113 at gmail.com
Thu Aug 3 18:33:23 CEST 2017


Well, it's not as easy as one might think.

I am getting this error:
NT-Password found but incorrect length, expected 16 bytes got 40 bytes.
Authentication may fail

MD4 hash has 32 characters, it's hex number so that means 2 characters = 1
byte. 32 / 2 = 16 bytes and this "length" is expected.
Another 8 bytes (32 + 8 = 40) is header {nthash} with curled brackets
including. I've tried {nt} header and blank header with no success.
It seems that FreeRadius interprets value in my custom LDAP attribute as
plain text not hex number.
LDAP attribute is type "text".

Custom LDAP attribute contains text value E217DE3A51C1329B751A28B9792F42DB.

There was a thread about similar problem
https://github.com/FreeRADIUS/freeradius-server/issues/679
I use FreeRadius 3.0.4 from CentOS 7 with backported fixes from upstream.

  ldap : User object found at DN "uid=112,ou=users,dc=tga,dc=net"
(8)   ldap : Processing user attributes
(8)   ldap :    control:NT-Password :=
0x7b6e747d4532313744453341353143313332394237353141323842393739324634324442
rlm_ldap (ldap): Released connection (9)
(8)    [ldap] = ok
(8)    [expiration] = noop
(8)    [logintime] = noop
(8)   } #  authorize = updated
(8)  Found Auth-Type = EAP
(8)  # Executing group from file /etc/raddb/sites-enabled/tga
(8)    authenticate {
(8)   eap : Expiring EAP session with state 0xe671e8cee679f217
(8)   eap : Finished EAP session with state 0xe671e8cee679f217
(8)   eap : Previous EAP request found for state 0xe671e8cee679f217,
released from the list
(8)   eap : Peer sent method MSCHAPv2 (26)
(8)   eap : EAP MSCHAPv2 (26)
(8)   eap : Calling eap_mschapv2 to process EAP data
(8)   eap_mschapv2 : # Executing group from file
/etc/raddb/sites-enabled/tga
(8)   eap_mschapv2 :  Auth-Type MS-CHAP {
(8)    WARNING: mschap : No Cleartext-Password configured.  Cannot create
LM-Password
(8)    WARNING: mschap : NT-Password found but incorrect length, expected
16 bytes got 32 bytes.  Authentication may fail
(8)    WARNING: mschap : No Cleartext-Password configured.  Cannot create
NT-Password
(8)    mschap : Creating challenge hash with username: 112
(8)    mschap : Client is using MS-CHAPv2
(8)    ERROR: mschap : FAILED: No NT/LM-Password.  Cannot perform
authentication
(8)    ERROR: mschap : MS-CHAP2-Response is incorrect



On Wed, Aug 2, 2017 at 10:17 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
> > I have FreeRadius 3 and OpenLDAP and I want to use PEAP + EAP-MSCHAPv2
> for
> > authentication.
> > I have NT-hash stored in a custom LDAP attribute.
> >
> > I am still finding contradicting information whether that setup is
> > supported. Is it?
> > If so, is NT-hash == MD4(user_password)?
>
> Not quite, it's the password converted to UTF16-LE encoding and then run
> through MD4.
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/
> src/modules/rlm_pap/rlm_pap.c#L995
>
> There's a helpful utility called smbcrypt which is built at part of the
> server:
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/
> src/modules/rlm_mschap/smbencrypt.c
>
> you could probably use that to create the hashes.
>
> The steps would be:
>
> - Modify LDAP ACLs so only the RADIUS user can read your custom LDAP
> attribute (it's pretty much as good as cleartext because MD4 is very much
> broken).
> - Add an entry in the user mapping to map <your custom password attr> :=
> &control:NT-Password
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/
> raddb/mods-available/ldap#L116
>
> - Call LDAP in the inner tunnel server to set the password attributes.
>
> -Arran
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list