On 09/12/13 08:45, David Hartburn wrote:
Hi,
Can anyone help advise if FreeRADIUS is suitable without any other changes to the existing infrastructure at my institution? If so, any advice on the best way to implement would be appreciated.
I am looking at options for replacing MS NPS with basically something better that works and is debuggable. FreeRadius looks the best option.
Our setup is a little complicated. Wireless users authenticate with EAP type PEAP, the inner authentication being done via MSCHAPv2. At the backend, we have a *nix based LDAP server with a particular attribute set for if a user is permitted to access the wireless network. Passwords are stored in an encrypted format.
Which encrypted format? Unless it's the NT hash (MD4 of UCS16 encoding of password) then you're out of luck I'm afraid, as MSCHAP requires plaintext or NT hash. See: http://deployingradius.com/documents/protocols/compatibility.html
you can read the userPassword attribute which must be plain text if MSCHAP is needed. Neither sounds suitable for what I need.
Is it possible for FreeRadius to use EAP, MSCHAP, check a LDAP attribute and an encrypted password?
Not unless it's the NT hash, no.
exists and has rights for wireless (I have this bit working), then to authenticate a bind is made as the user. Does this sound reasonable?
MSCHAP does not give the RADIUS server a username & password, so you can't "bind as" the user. Instead you get a challenge and response value, that need to be checked using a cryptographic algorithm that takes username & NT hash as inputs. So you need to store NT hash (or cleartext, which can be used to generate it). Cheers, Phil