ldap auto header MS-CHAPv2
hi, how can i handle encrypted users's ldap password ? pap reckognize my ssha1 from base64 encoding => because of the auto_header to yes but it looks like MS-CHAP does not kwow how to deal with... [ldap] Added User-Password = {SSHA}2FJYOM+C3mqL2g6wOhcLfjMY2XdoQ4bi in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Cleartext-Password == "{SSHA}2FJYOM+C3mqL2g6wOhcLfjMY2XdoQ4bi" [ldap] looking for reply items in directory... [ldap] user bernard authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SSHA1-Password from base64 encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject thank u
Hi,
how can i handle encrypted users's ldap password ?
depends what you want to do read the docs and you will see what youc an do with what back-end eg http://deployingradius.com/documents/protocols/compatibility.html this shows that LDAP is just a basic store of info...you cannot do eg challenhe-response with a basic store. if you want to do that kind of fund and games with mschap then you need to bind the FR server to eg AD and use the ntlm_auth method of getting people authenticated. this is also well documented. http://deployingradius.com/documents/configuration/active_directory.html alan
no i don't have AD. in other word, i cannot use windows xp supplicant *EAP-MSCHAPv2 *to make the authentication protocol to authenticate users in openldap database using ssha1 password, that's right?* * 2010/3/15 Alan Buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
how can i handle encrypted users's ldap password ?
depends what you want to do
read the docs and you will see what youc an do with what back-end eg
http://deployingradius.com/documents/protocols/compatibility.html
this shows that LDAP is just a basic store of info...you cannot do eg challenhe-response with a basic store. if you want to do that kind of fund and games with mschap then you need to bind the FR server to eg AD and use the ntlm_auth method of getting people authenticated. this is also well documented.
http://deployingradius.com/documents/configuration/active_directory.html
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
no i don't have AD.
in other word, i cannot use windows xp supplicant EAP-MSCHAPv2 to make the authentication protocol to authenticate users in openldap database using ssha1 password, that's right?
correct: http://deployingradius.com/documents/protocols/oracles.html PEAPv0/MS-CHAPv2 requires MSCHAPv2 - thats challenge response. the client never supplies the real password - therefore you cannot compare to a password stored in LDAP. what you need to use is an EAP method that uses PAP....eg EAP-TTLSv0/PAP try using a supplicant on the windows machine that gives you this eg http://open1x.sourceforge.net/ http://www.securew2.com/ ...or grab a Mac OSX machine to do further testing - they have TTLS/PAP support natively. alan
On Monday 15 March 2010 13:42:11 Alan Buxey wrote:
Hi,
no i don't have AD.
in other word, i cannot use windows xp supplicant EAP-MSCHAPv2 to make the authentication protocol to authenticate users in openldap database using ssha1 password, that's right?
correct: http://deployingradius.com/documents/protocols/oracles.html
PEAPv0/MS-CHAPv2 requires MSCHAPv2 - thats challenge response.
the client never supplies the real password - therefore you cannot compare to a password stored in LDAP.
what you need to use is an EAP method that uses PAP....eg EAP-TTLSv0/PAP
You can use EAP-PEAP as long as you store also samba NT/LM hashes in LDAP (sambaLMPassword and sambaNTPassword). If you have these hashes you may use Windows XP built-in supplicant.
try using a supplicant on the windows machine that gives you this eg
http://open1x.sourceforge.net/
...or grab a Mac OSX machine to do further testing - they have TTLS/PAP support natively.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan Buxey -
nf-vale -
omega bk