Understood! Thanks for your support and time guys! 2014-10-30 11:49 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
Alan Alejandro Villaverde wrote:
The only way I found to make it works is setting the following lines in the user file:
vi users:
avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"
Don't do that. You were told to not do that. It's not necessary. It's wrong.
It works, but how do you handle 1000 users for example? It turns very difficult to manage the user passwords.
You put the passwords in a database. That's what databases are for,
For instance, if the user change the password in the linux box, then you need to edit the users file to replicate that password.
i.e. you store the passwords in 2 places, so when the password changes, it has to be changed in both places.
That's not a surprise.
I have running tacacs+ in the same box, and the user only has to use an unique password for radius and tacacs defined by passwd. I am using PAM authentication for this.
I have no idea what that means.
On the other hand, If I work with PAP I can handle the users like a Linux user, so the managament is easier and it depends on the final user. The user can access the linux box and change his password with a simple passwd and all is replicated for tacacs and freeradius. It is the way how is working today, but I was requested to set MSCHAP authentication due to security audits.
MS-CHAP isn't much more secure than PAP.
When user try to access wireless controller, he puts his password and then radius checks the password with the passwd file or shadow file without any necesity of "editing radius users file"
MS-CHAP is incompatible with /etc/passwd. It's impossible to use them both.
I think I am missing something regarding how to set MSCHAP authentication, and that radius checks the password without using Cleartext-Password in the USERS file.
The server doesn't care where it gets the password from. It doesn't matter if it's the "users" file, a database, or anywhere else.
The server DOES care about the format of the password. MS-CHAP requires clear-text passwords, *or* NT hashed passwords. Neither format can be stored in /etc/passwd.
It's impossible to "work around" this. Don't even try.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alan Alejandro Villaverde. ,JL. j@, Zv uJ.u@qJ :LBO:v1 :r1@ MB G1 rB8Ur , r@Ei O .7 @. :N,:BBO05v,:, :7 u Or vM@r:E: rqr,: .v X Or 7@r v@U ,@::: 5 .L M: YO:2@OS. . .7: N iP Y@riBr ,:i::: :q ,q. qk :ii YO. iv7r77r iGF :7v7 :u0u. 7Lj ;5k1r7BN 7P552552v: LUM1, 7FUi:..v@B ik7JMJ. ..,v@rk. _..._ Y8. vL: .5@v E. .' '. ui,N: .G.O@: @ / _ _ \ .P: J7LEBO Bi | (o)_(o) | .1 i@B7 .MU \( ) / 2 :M@u .uMi //'._.'\ \ :k :U@BOi:vSM2B // . \ \ 7E@B@B@O8PrMk ;B || . \ \ @: @r |\ : / | EM. ;@ \ `) ' (` /_ .B7 0L _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB@B@B@ ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB@B@B@B@B@B@ '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO@B@B@B@B@@@B@B@B@B :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ...