FreeRadius + OpenLDAP (SMD5) + Windows XP
Hi, I got a simple question but I don?t find anything to answer it. Situation: I got a database OpenLDAP which contains users info, mainly ?uid? and ?userPassword? crypt with SMD5 and I can?t modify this encryption type. I want Wireless users to have to authenticate to access the WLAN without installing anything on users' PC (mainly Windows XP PCs). Question: Does anybody know if there is a way to authenticate users using this password ? I tried using a clear-text password and that works but I cannot and don't want to change userPassword encryption. Thanks a lot for any idea/help, Romain Mercier
Mercier Romain wrote:
Hi,
I got a simple question but I don?t find anything to answer it. Situation: I got a database OpenLDAP which contains users info, mainly ?uid? and ?userPassword? crypt with SMD5 and I can?t modify this encryption type. I want Wireless users to have to authenticate to access the WLAN without installing anything on users' PC (mainly Windows XP PCs).
That's impossible I'm afraid.
Question: Does anybody know if there is a way to authenticate users using this password ?
I tried using a clear-text password and that works but I cannot and don't want to change userPassword encryption.
Windows XP can only do: EAP-TLS (using client and server X.509 certificates) EAP-PEAP/MS-CHAPv2 (using server certs, and client username/password) To authenticate the MS-CHAP portion of the latter, FreeRadius must have either the plaintext password, the NT/LM hashes, or access to a domain controller via Samba and use of the ntlm_auth helper. If you don't want to install any software and don't have plaintext/NT/LM passwords, you're stuck.
I read that future version 2.0 will support SMD5 with pap module. Could it solve my problem ? When will it be released ? Quoting Phil Mayers <p.mayers@imperial.ac.uk>:
Mercier Romain wrote:
Hi,
I got a simple question but I don?t find anything to answer it. Situation: I got a database OpenLDAP which contains users info, mainly ?uid? and ?userPassword? crypt with SMD5 and I can?t modify this encryption type. I want Wireless users to have to authenticate to access the WLAN without installing anything on users' PC (mainly Windows XP PCs).
That's impossible I'm afraid.
Question: Does anybody know if there is a way to authenticate users using this password ?
I tried using a clear-text password and that works but I cannot and don't want to change userPassword encryption.
Windows XP can only do:
EAP-TLS (using client and server X.509 certificates) EAP-PEAP/MS-CHAPv2 (using server certs, and client username/password)
To authenticate the MS-CHAP portion of the latter, FreeRadius must have either the plaintext password, the NT/LM hashes, or access to a domain controller via Samba and use of the ntlm_auth helper.
If you don't want to install any software and don't have plaintext/NT/LM passwords, you're stuck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mercier Romain wrote:
I read that future version 2.0 will support SMD5 with pap module. Could it solve my problem ? When will it be released ?
You'd still need to install something on the clients. SecureW2 will to TTLS with PAP inside the tunnel, which would work. If your constraint is "no client software", you need the plaintext, NT/LM passwords or samba+ntlm_auth If you install SecureW2 and use TTLS+PAP you can check your passwords against ANYTHING because PAP supplies the username/password to the radius server and obviously it can do any kind of hashing or callout with it.
Phil Mayers wrote: You'd still need to install something on the clients. SecureW2 will to TTLS with PAP inside the tunnel, which would work.
I installed SecureW2 and try PAP, but didn't understand that I need TTLS module with PAP. I will try this. Thanks
If your constraint is "no client software", you need the plaintext, NT/LM passwords or samba+ntlm_auth
If you install SecureW2 and use TTLS+PAP you can check your passwords against ANYTHING because PAP supplies the username/password to the radius server and obviously it can do any kind of hashing or callout with it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks a lot Phil for your help. It's OK now. With SecureW2 and PAP on the user's PC and using ttls I add these lines to my configuration: Modules { ... eap { default_eap_type = ttls ... gtc { auth_type = PAP } ttls { default_eap_type = gtc } ... } ... }
participants (3)
-
Mercier Romain -
Phil Mayers -
Romain Mercier