Thanks for your reply Alan, On Thu, May 11, 2006 at 01:53:10AM -0400, Alan DeKok wrote:
Alain Fauconnet <alain@ait.ac.th> wrote:
I've browsed the FAQs, the mailing list archives but I have failed to find a definite, clear answer to this: what kind of user/password back-end can work if one is to support MS-CHAP?
I don't see why there was no clear answer. The answer has been given many, many, times, and is always the same. MS-CHAP works with clear-text passwords, or with NT-Passwords. Nothing else.
Then I must have missed it. I probably have searched for the wrong keywords... yes, I see now in the FAQ, I should have searched for "chap" and not "ms-chap" or "mschap". Sorry.
I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It works fine if I use PAP and no encryption. If I want to use encryption, I need MS-CHAP, right?
What kind of encryption do you mean? There are many kinds.
This PPTP so encryption is MPPE. When you configure a Windows client for a VPN (PPTP) connection, if you enable encryption and allow anything but MS-CHAP and MS-CHAP-V2, it says that if anything else is used (such as PAP), encryption will be disabled.
Right now my FreeRADIUS server is configured to use PAM.
Ugh. That's not nice. It's added complexity for no real benefit.
Well, I've inherited this installation and the Radius service is used for a dozen different things so I have to be very careful not to break anything. Anyway why is PAM so evil by itself? it adds a layer of abstraction and makes it a single place to tweak things if the authentication back-ends change. I understand that it defeats any requirement to access the cleartext passwords, though.
The master source of authentication is /etc/passwd and /etc/shadow, so passwords are in MD5 format.
MS-CHAP is impossible.
Roger that :-)
Is there any way I can get FreeRADIUS to handle MS-CHAP authentication requests from the Cisco box in this context? (i'm kind of expecting a big "no" here, but I want to be sure)
No.
If I'm not using Samba or a domain controller, do I need cleartext passwords to achieve this? where? in the "users" file only?
The passwords can be obtained from any database.
In radiusd.conf, the "mschap" module has parameters for a Samba smpasswd format file or invoking ntlm_auth. If neither is set, where does it try to get the password from? I'm confused.
The mschap module no longer supports smbpasswd files.
The mschap module doesn't "try" to get the password. It just does ms-chap authentication. Databases get the password, and add it to the RADIUS request. See doc/aaa.txt
OK, assuming I have a smbpasswd format file somewhere (not the case now), I should configure the mschap *and* passwd modules, uncommenting out: #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} is that correct? Greets, _Alain_