Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for example, and freeradius check the MD5 hash. So I understand I have to use PAP ?  In my modul ldap I think I have to put « password_attribute = userPassword ». But If I do, I have to put my password in clear in my ldap, otherwise it don’t works. Also, I can comment the « password_attribute = userPassword » in my ldap module and put my password in md5/ssha etc… in openldap and it works. But I don’t know very well why ??

 

 

modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Linked to module rlm_pap

 Module: Instantiating pap

  pap {

        encryption_scheme = "auto"

        auto_header = no

  }

 Module: Linked to module rlm_chap

 Module: Instantiating chap

 Module: Linked to module rlm_mschap

 Module: Instantiating mschap

  mschap {

        use_mppe = yes

        require_encryption = no

        require_strong = no

        with_ntdomain_hack = no

  }

 Module: Linked to module rlm_unix

 Module: Instantiating unix

  unix {

        radwtmp = "/var/log/radwtmp"

  }

 Module: Linked to module rlm_eap

 Module: Instantiating eap

  eap {

        default_eap_type = "md5"

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = 2048

  }

 Module: Linked to sub-module rlm_eap_md5

 Module: Instantiating eap-md5

 Module: Linked to sub-module rlm_eap_leap

 Module: Instantiating eap-leap

 Module: Linked to sub-module rlm_eap_gtc

 Module: Instantiating eap-gtc

   gtc {

        challenge = "Password: "

        auth_type = "PAP"

   }

 Module: Linked to sub-module rlm_eap_tls

 Module: Instantiating eap-tls

   tls {

        rsa_key_exchange = no

        dh_key_exchange = yes

        rsa_key_length = 512

        dh_key_length = 512

        verify_depth = 0

        pem_file_type = yes

        private_key_file = "/usr/local/etc/raddb/certs/server.pem"

        certificate_file = "/usr/local/etc/raddb/certs/server.pem"

        CA_file = "/usr/local/etc/raddb/certs/ca.pem"

        private_key_password = "whatever"

        dh_file = "/usr/local/etc/raddb/certs/dh"

        random_file = "/usr/local/etc/raddb/certs/random"

        fragment_size = 1024

        include_length = yes

        check_crl = no

        cipher_list = "DEFAULT"

        make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"

    cache {

        enable = no

        lifetime = 24

        max_entries = 255

    }

   }

 Module: Linked to sub-module rlm_eap_ttls

 Module: Instantiating eap-ttls

   ttls {

        default_eap_type = "md5"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_peap

 Module: Instantiating eap-peap

   peap {

        default_eap_type = "mschapv2"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        proxy_tunneled_request_as_eap = yes

        virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_mschapv2

 Module: Instantiating eap-mschapv2

   mschapv2 {

        with_ntdomain_hack = no

   }

 

De : freeradius-users-bounces+francois.mehault=netplus.fr@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus.fr@lists.freeradius.org] De la part de Nicolas Goutte
Envoyé : mardi 19 mai 2009 14:45
À : FreeRadius users mailing list
Objet : Re: communication safe ssh <-> NAS <-> FreeRADIUS ?

 

 

Am 19.05.2009 um 14:14 schrieb François Mehault:



Hi,

 

I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don’t understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius  safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS …

Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha … and how ?

For the compatibility, see http://deployingradius.com/documents/protocols/compatibility.html

 

 

Thanks,

 

Regards,

 

 

François

-

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

Have a nice day!

 

Nicolas Goutte

 

 

extragroup GmbH - Karlsruhe

Waldstr. 49

76133 Karlsruhe

Germany

 

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle

Registergericht: Amtsgericht Münster / HRB: 5624

Steuer Nr.: 337/5903/0421 / UstID: DE 204607841