Understood! Thanks for your support and time guys!

2014-10-30 11:49 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
Alan Alejandro Villaverde wrote:
> The only way I found to make it works is setting the following lines in
> the user file:
>
> vi users:
>
> avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"

  Don't do that.  You were told to not do that.  It's not necessary.
It's wrong.

> It works, but how do you handle 1000 users for example? It turns very
> difficult to manage the user passwords.

  You put the passwords in a database.  That's what databases are for,

> For instance, if the user change the password in the linux box, then you
> need to edit the users file to replicate that password.

  i.e. you store the passwords in 2 places, so when the password
changes, it has to be changed in both places.

  That's not a surprise.

> I have running tacacs+ in the same box, and the user only has to use an
> unique password for radius and tacacs defined by passwd. I am using PAM
> authentication for this.

  I have no idea what that means.

> On the other hand, If I work with PAP I can handle the users like a
> Linux user, so the managament is easier and it depends on the final
> user. The user can access the linux box and change his password with a
> simple passwd and all is replicated for tacacs and freeradius. It is the
> way how is working today, but I was requested to set MSCHAP
> authentication due to security audits.

  MS-CHAP isn't much more secure than PAP.

> When user try to access wireless controller, he puts his password and
> then radius checks the password with the passwd file or shadow file
> without any necesity of "editing radius users file"

  MS-CHAP is incompatible with /etc/passwd.  It's impossible to use them
both.

> I think I am missing something regarding how to set MSCHAP
> authentication, and that radius checks the password without using
> Cleartext-Password in the USERS file.

  The server doesn't care where it gets the password from.  It doesn't
matter if it's the "users" file, a database, or anywhere else.

  The server DOES care about the format of the password.  MS-CHAP
requires clear-text passwords, *or* NT hashed passwords.  Neither format
can be stored in /etc/passwd.

  It's impossible to "work around" this.  Don't even try.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Alan Alejandro Villaverde.  
                                    ,JL.
                                  j@, Zv
                                uJ.u@qJ
                              :LBO:v1
                           :r1@  MB
                          G1 rB8Ur          ,
                         r@Ei  O        .7  @.
                       :N,:BBO05v,:, :7  u  Or
                      vM@r:E: rqr,:  .v  X  Or
                    7@r v@U   ,@:::  5  .L  M:
                  YO:2@OS.     .   .7:  N  iP
                  Y@riBr      ,:i:::  :q  ,q.
                    qk              :ii  YO.
                             iv7r77r   iGF              :7v7
                                    :u0u.   7Lj      ;5k1r7BN
                            7P552552v:      LUM1,  7FUi:..v@B
                                              ik7JMJ. ..,v@rk.
      _..._                                    Y8. vL: .5@v E.
    .'     '.                                 ui,N: .G.O@:  @
   /  _   _  \                              .P:   J7LEBO   Bi
   | (o)_(o) |                             .1      i@B7  .MU
    \(     ) /                             2     :M@u  .uMi
    //'._.'\ \                            :k  :U@BOi:vSM2B
   //   .   \ \                            7E@B@B@O8PrMk ;B
  ||   .     \ \                                      @:  @r
  |\   :     / |                                     EM.  ;@
  \ `) '   (`  /_                                   .B7    0L
_)``".____,.'"` (_                 ..,:i;7vjuFXZEOMMBBL:::.rB@B@B@                   
)     )'--'(     (           .,::ir77vvJjuu2UF5SS00GZOMBB@B@B@B@B@B@    
 '---`      `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO@B@B@B@B@@@B@B@B@B
                  :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ...