On 29/03/12 13:24, Heinrich, Sebastian wrote:
Hello Everybody,
I have two questions for my understanding. I set up FreeRADIUS to authenticate against our Active Directory. I read in the readme that this couldn´t be done with the ldap module, so I did it with SAMBA. It works fine for MSCHAPv2. But nowhere stands why it couldn’t be done with the ldap module. Can anybody give a technical explanation? As I read the ldap module can only work with cleartext passwords and eap is encrypted. But why can’t it work with. A technical explanation would be nice.
Basically: MS-CHAP is a cryptographic, challenge-response protocol. To perform the correct crypto, you need the NT-Hash of the users password. If you have Active Directory, you can't extract this hash; it is stored in the domain controllers, and not visible over LDAP. Therefore, you have to use Samba/ntlm_auth to "send" the MS-CHAP to a domain controller, which does the crypto for you.
As I wrote I setted FreeRADIUS up to work fine with the Active Directory. I configured the eap.conf to work with PEAP and MSCHAPv2. When I configured it in this way I don’t need certificates? The certificates aren’t checked by the clients or server aren’t they? Do I need certificates when I use PEAP with MSCHAPv2 or I am doing something wrong?
You need a certificate at the server side. You should make sure your clients validate this certificate, otherwise an attacker can impersonate you and capture MS-CHAP packets, and perform cryptographic attacks. You don't need a certificate at the client side.