<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 08.00.0681.000">
<TITLE>RE: FR and PEAP question</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">HI,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">I</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">’</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">m now trying your suggestions for getting FR and PEAP working together. Below is the result of a radtest that I did.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">T</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">he password that is being supplied by radtest is in plain-text, shou</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">l</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">d I be supplying it in ntPassword</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">-encrypted format?</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">It looks to me like I have</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Consolas">something</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas"> wrong with my authenticate section.</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">My au</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">thorize</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas"> section looks like:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">authorize {</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> preprocess</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> chap</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> mschap</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> suffix</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> eap</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> Autz-Type Ldap1 {</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> redundant-load-balance{</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> unbldap</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> unbldap2</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> }</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> mschap</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> }</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">}</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">The radtest result is below:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">rad_recv: Access-Request packet from host 127.0.0.1 port 32769, id=97, length=55</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> User-Name = "mda"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> User-Password = "abc123"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> NAS-IP-Address = 127.0.0.1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New"> NAS-Port = 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: +- entering group authorize</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: ++[preprocess] returns ok</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: ++[chap] returns noop</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: ++[mschap] returns noop</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No '@' in User-Name = "mda", looking up realm NULL</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No such realm "NULL"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: ++[suffix] returns noop</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: rlm_eap: No EAP-Message, not doing EAP</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: ++[eap] returns noop</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: ++[files] returns noop</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: auth: Failed to validate the user.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Auth: Login incorrect: [mda] (from client localhost port 0)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: Delaying reject of request 0 for 1 seconds</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: Going to the next request</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:34 2008 : Debug: Waking up in 0.9 seconds.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:35 2008 : Debug: Sending delayed reject for request 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Sending Access-Reject of id 97 to 127.0.0.1 port 32769</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:35 2008 : Debug: Waking up in 4.9 seconds.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:40 2008 : Debug: Cleaning up request 0 ID 97 with timestamp +17</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=1 FACE="Courier New">Tue Jun 10 10:07:40 2008 : Debug: Ready to process requests.</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Any assistance is appreciated</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">.</FONT></SPAN></P>
<BR>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Thanks</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">Matt </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">mda@unb.ca</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">-----Original Message-----<BR>
From: Thibault Le Meur [<A HREF="mailto:Thibault.LeMeur@supelec.fr">mailto:Thibault.LeMeur@supelec.fr</A>]<BR>
Sent: Monday, May 26, 2008 11:00 AM<BR>
To: mda@unb.ca; FreeRadius users mailing list<BR>
Subject: Re: FR and PEAP question</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Matt Ashfield a écrit :</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> Hi,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> We’re looking into using PEAP with MSChapV2, instead of PAP (don’t </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> want to use the SecureW2 client anymore) so are investigating ways to </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> store the password in LDAP.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> According to </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> <A HREF="http://deployingradius.com/documents/protocols/compatibility.html">http://deployingradius.com/documents/protocols/compatibility.html</A> ,the </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> options are storing the password in Clear-Text or in an NT Hash </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> (ntlm_auth).</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> In talking with our LDAP people, I was told the following:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> SunOne does not support nt-hash passwords. Supported formats are </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> SSHA512.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">This means that your userPassword attribute must contain your password </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">in the previously mentionned has forms. This userPassword attribute is </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">used internally by your LDAP directory in order to authenticate your </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">access (bind) to the LDAP server.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> It sounds to me like if we want to do PEAP/MSChapV2 we’d have to store </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> the password in cleartext? I would just like to verify this via this list.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Not necessarily. You may _not_ want to use ldap binding as the </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">authentication process, but only use your LDAP directory as a database </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">backend in which FR will read a given ldap attribute (different from </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">'userPassword') and maps it to the NT-Hash version of the user password.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">In other words (setup for FR1.7):</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">* in your LDAP directory entries add a new attribute (that will hold the </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">NT-Hash version of the user password)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">* update the configuration file ldap.attrmap so that the new ldap </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">attribute maps to the radius NT-Password attribute</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">* setup your rlm_ldap module and use it in the authorize section (NOT </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">the authenticate section)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">* don't forget to use the mschap module in your authorize section (after </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">the ldap one) so that the MS-CHAP Authentication will see the encrypted </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">user password and sets Auth-Type accordingly</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Hope this helps,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Thibault</FONT></SPAN></P>
<BR>
<BR>
<BR>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> Any advice is appreciated.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> Thanks</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> Matt</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> mda@unb.ca</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> ------------------------------------------------------------------------</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> -</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">> List info/subscribe/unsubscribe? See <A HREF="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A></FONT></SPAN></P>
</BODY>
</HTML>