MS-CHAP: what password backends can be used?
Hello readers, I've browsed the FAQs, the mailing list archives but I have failed to find a definite, clear answer to this: what kind of user/password back-end can work if one is to support MS-CHAP? is anything storing crypt or MD5 passwords (/etc/passwd+shadow, NIS, LDAP) hopeless? (I suspect it is) I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It works fine if I use PAP and no encryption. If I want to use encryption, I need MS-CHAP, right? Right now my FreeRADIUS server is configured to use PAM. It runs on a box that is a NIS master, as well as a LDAP server with a directory built from NIS data using the well-known migration scripts (but FreeRADIUS doesn't talk to LDAP now). The master source of authentication is /etc/passwd and /etc/shadow, so passwords are in MD5 format. Is there any way I can get FreeRADIUS to handle MS-CHAP authentication requests from the Cisco box in this context? (i'm kind of expecting a big "no" here, but I want to be sure) If I'm not using Samba or a domain controller, do I need cleartext passwords to achieve this? where? in the "users" file only? In radiusd.conf, the "mschap" module has parameters for a Samba smpasswd format file or invoking ntlm_auth. If neither is set, where does it try to get the password from? I'm confused. Thanks for any reply, pointers etc. Greets, _Alain_
Alain Fauconnet <alain@ait.ac.th> wrote:
I've browsed the FAQs, the mailing list archives but I have failed to find a definite, clear answer to this: what kind of user/password back-end can work if one is to support MS-CHAP?
I don't see why there was no clear answer. The answer has been given many, many, times, and is always the same. MS-CHAP works with clear-text passwords, or with NT-Passwords. Nothing else.
I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It works fine if I use PAP and no encryption. If I want to use encryption, I need MS-CHAP, right?
What kind of encryption do you mean? There are many kinds.
Right now my FreeRADIUS server is configured to use PAM.
Ugh. That's not nice. It's added complexity for no real benefit.
The master source of authentication is /etc/passwd and /etc/shadow, so passwords are in MD5 format.
MS-CHAP is impossible.
Is there any way I can get FreeRADIUS to handle MS-CHAP authentication requests from the Cisco box in this context? (i'm kind of expecting a big "no" here, but I want to be sure)
No.
If I'm not using Samba or a domain controller, do I need cleartext passwords to achieve this? where? in the "users" file only?
The passwords can be obtained from any database.
In radiusd.conf, the "mschap" module has parameters for a Samba smpasswd format file or invoking ntlm_auth. If neither is set, where does it try to get the password from? I'm confused.
The mschap module no longer supports smbpasswd files. The mschap module doesn't "try" to get the password. It just does ms-chap authentication. Databases get the password, and add it to the RADIUS request. See doc/aaa.txt Alan DeKok.
Thanks for your reply Alan, On Thu, May 11, 2006 at 01:53:10AM -0400, Alan DeKok wrote:
Alain Fauconnet <alain@ait.ac.th> wrote:
I've browsed the FAQs, the mailing list archives but I have failed to find a definite, clear answer to this: what kind of user/password back-end can work if one is to support MS-CHAP?
I don't see why there was no clear answer. The answer has been given many, many, times, and is always the same. MS-CHAP works with clear-text passwords, or with NT-Passwords. Nothing else.
Then I must have missed it. I probably have searched for the wrong keywords... yes, I see now in the FAQ, I should have searched for "chap" and not "ms-chap" or "mschap". Sorry.
I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It works fine if I use PAP and no encryption. If I want to use encryption, I need MS-CHAP, right?
What kind of encryption do you mean? There are many kinds.
This PPTP so encryption is MPPE. When you configure a Windows client for a VPN (PPTP) connection, if you enable encryption and allow anything but MS-CHAP and MS-CHAP-V2, it says that if anything else is used (such as PAP), encryption will be disabled.
Right now my FreeRADIUS server is configured to use PAM.
Ugh. That's not nice. It's added complexity for no real benefit.
Well, I've inherited this installation and the Radius service is used for a dozen different things so I have to be very careful not to break anything. Anyway why is PAM so evil by itself? it adds a layer of abstraction and makes it a single place to tweak things if the authentication back-ends change. I understand that it defeats any requirement to access the cleartext passwords, though.
The master source of authentication is /etc/passwd and /etc/shadow, so passwords are in MD5 format.
MS-CHAP is impossible.
Roger that :-)
Is there any way I can get FreeRADIUS to handle MS-CHAP authentication requests from the Cisco box in this context? (i'm kind of expecting a big "no" here, but I want to be sure)
No.
If I'm not using Samba or a domain controller, do I need cleartext passwords to achieve this? where? in the "users" file only?
The passwords can be obtained from any database.
In radiusd.conf, the "mschap" module has parameters for a Samba smpasswd format file or invoking ntlm_auth. If neither is set, where does it try to get the password from? I'm confused.
The mschap module no longer supports smbpasswd files.
The mschap module doesn't "try" to get the password. It just does ms-chap authentication. Databases get the password, and add it to the RADIUS request. See doc/aaa.txt
OK, assuming I have a smbpasswd format file somewhere (not the case now), I should configure the mschap *and* passwd modules, uncommenting out: #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} is that correct? Greets, _Alain_
Alain Fauconnet <alain@ait.ac.th> wrote:
Then I must have missed it. I probably have searched for the wrong keywords... yes, I see now in the FAQ, I should have searched for "chap" and not "ms-chap" or "mschap". Sorry.
You're not the first person to ask this question. Google should return a *lot* of answers.
This PPTP so encryption is MPPE. When you configure a Windows client for a VPN (PPTP) connection, if you enable encryption and allow anything but MS-CHAP and MS-CHAP-V2, it says that if anything else is used (such as PAP), encryption will be disabled.
Ah. That would appear to be definitive, then.
Well, I've inherited this installation and the Radius service is used for a dozen different things so I have to be very careful not to break anything. Anyway why is PAM so evil by itself?
I've been working with PAM for many years. I've never liked it. If nothing else, PAM isnt designed to be used in the way that FreeRADIUS is using it: one process doing many PAM authentications. It's meant to be used by "login", and similar programs. We've had problems in the past with PAM because of this.
OK, assuming I have a smbpasswd format file somewhere (not the case now), I should configure the mschap *and* passwd modules, uncommenting out:
Yes. Alan DeKok.
participants (2)
-
Alain Fauconnet -
Alan DeKok