Well, it's not as easy as one might think. I am getting this error: NT-Password found but incorrect length, expected 16 bytes got 40 bytes. Authentication may fail MD4 hash has 32 characters, it's hex number so that means 2 characters = 1 byte. 32 / 2 = 16 bytes and this "length" is expected. Another 8 bytes (32 + 8 = 40) is header {nthash} with curled brackets including. I've tried {nt} header and blank header with no success. It seems that FreeRadius interprets value in my custom LDAP attribute as plain text not hex number. LDAP attribute is type "text". Custom LDAP attribute contains text value E217DE3A51C1329B751A28B9792F42DB. There was a thread about similar problem https://github.com/FreeRADIUS/freeradius-server/issues/679 I use FreeRadius 3.0.4 from CentOS 7 with backported fixes from upstream. ldap : User object found at DN "uid=112,ou=users,dc=tga,dc=net" (8) ldap : Processing user attributes (8) ldap : control:NT-Password := 0x7b6e747d4532313744453341353143313332394237353141323842393739324634324442 rlm_ldap (ldap): Released connection (9) (8) [ldap] = ok (8) [expiration] = noop (8) [logintime] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/tga (8) authenticate { (8) eap : Expiring EAP session with state 0xe671e8cee679f217 (8) eap : Finished EAP session with state 0xe671e8cee679f217 (8) eap : Previous EAP request found for state 0xe671e8cee679f217, released from the list (8) eap : Peer sent method MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/tga (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (8) WARNING: mschap : NT-Password found but incorrect length, expected 16 bytes got 32 bytes. Authentication may fail (8) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password (8) mschap : Creating challenge hash with username: 112 (8) mschap : Client is using MS-CHAPv2 (8) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication (8) ERROR: mschap : MS-CHAP2-Response is incorrect On Wed, Aug 2, 2017 at 10:17 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
I have FreeRadius 3 and OpenLDAP and I want to use PEAP + EAP-MSCHAPv2 for authentication. I have NT-hash stored in a custom LDAP attribute.
I am still finding contradicting information whether that setup is supported. Is it? If so, is NT-hash == MD4(user_password)?
Not quite, it's the password converted to UTF16-LE encoding and then run through MD4.
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/ src/modules/rlm_pap/rlm_pap.c#L995
There's a helpful utility called smbcrypt which is built at part of the server:
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/ src/modules/rlm_mschap/smbencrypt.c
you could probably use that to create the hashes.
The steps would be:
- Modify LDAP ACLs so only the RADIUS user can read your custom LDAP attribute (it's pretty much as good as cleartext because MD4 is very much broken). - Add an entry in the user mapping to map <your custom password attr> := &control:NT-Password
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/ raddb/mods-available/ldap#L116
- Call LDAP in the inner tunnel server to set the password attributes.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html