Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James
James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote:
Hi,
I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid.
All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password.
Any info or direction would be greatly appreciated.
Thank you
James
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote:
Hi,
I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid.
All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password.
Any info or direction would be greatly appreciated.
Thank you
James
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No - your user database needs to store passwords in plaintext or NTLM. You basically have two options: use a TTLS supplicant instead (such as wpa_supplicant or SecureW2), or change your user database. best regards, josh. James Taylor wrote:
Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible?
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP
James,
MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext.
josh.
James Taylor wrote:
Hi,
I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid.
All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password.
Any info or direction would be greatly appreciated.
Thank you
James
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
James Taylor wrote:
Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible?
PEAP can have several inner types. One of these is "GTC" (generic token card) which sends a prompt and asks for a response. I believe the prompt can be "password" and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. See the "gtc" section in "eap.conf" PAM would not help; as Josh says, MSCHAPv2 needs the NT/LM hashes, which means either having the hashes, or the plaintext password to generate them from, not a "crypt". In any event, PAM seems to work very badly because of threading issues.
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
PEAP can have several inner types. One of these is "GTC" (generic token card) which sends a prompt and asks for a response. I believe the prompt can be "password" and the response the actual password.
How well windows' GTC support works I couldn't tell you, though I know it's there.
Windows doesn't support it, so far as I can tell. Alan DeKok.
Alan DeKok wrote:
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
PEAP can have several inner types. One of these is "GTC" (generic token card) which sends a prompt and asks for a response. I believe the prompt can be "password" and the response the actual password.
How well windows' GTC support works I couldn't tell you, though I know it's there.
Windows doesn't support it, so far as I can tell.
My mistake - I was convinced I'd seen it. (I suppose it's possible that I had the Cisco wireless card software installed, along with it's supplicant-fiddling extensions.)
"James Taylor" <jtaylor@laszlosystems.com> wrote:
Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2?
Your question doesn't make sense. Pam and Unix /etc/passwd are both systems that store "known good" passwords. MSCHAPv2 is an authentication protocol where a user tries to authenticate based on an unknown password.
What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible?
No the crypt'd passwords stored in /etc/passwd are 100% incompatible with PEAP. You can: a) store clear-text passwords b) use EAP-TTLS with tunneled PAP. You don't really have many other choices. Alan DeKok.
I have everything working with the users file. Josh, do you think if I have sambaNTpassword attribute in my ldap (I use ldap for authenticating users) with the ntlm credential it could work? Yuri On 10/13/05, Josh Howlett <josh.howlett@bristol.ac.uk> wrote:
James,
MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext.
josh.
James Taylor wrote:
Hi,
I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid.
All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password.
Any info or direction would be greatly appreciated.
Thank you
James
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Yuri Francalacci yuri.francalacci@gmail.com
/etc/shadow files and PEAP/MSCHAPv2 are mutually exclusive. You can store the NT hashed passwords in the users file if you'd like, but, other than that, you'll have to use plaintext passwords. It's just the nature of the beast. --Mike James Taylor wrote:
Hi,
I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid.
All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password.
Any info or direction would be greatly appreciated.
Thank you
James
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (6)
-
Alan DeKok -
James Taylor -
Josh Howlett -
Michael Griego -
Phil Mayers -
Yuri Francalacci