802.1x with mschap-radius-ldap with ssha-1 passwords
Hi All I'm trying to do 802.1x authentication using freeradius against an LDAP directory which stores the userPassword in an ssha-1 hash. My question is, is this possible? If so, how do I configure mschap for ssha-1 passwords? Thanks for your time/advice, Cheers Matt
"Matt Ashfield" <mda@unb.ca> wrote:
I'm trying to do 802.1x authentication using freeradius against an LDAP directory which stores the userPassword in an ssha-1 hash. My question is, is this possible? If so, how do I configure mschap for ssha-1 passwords?
You don't. It's impossible. Alan DeKok.
I was afraid you'd say that. What would you suggest as a workaround for this problem? Could I do EAP-TTLS using the securew2 client instead? Or am I better off creating a 2nd password attribute on the LDAP directory that is maybe encoded as an NT-Password attribute or something like that. Thanks Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 mda@unb.ca -----Original Message----- From: aland@nitros9.org [mailto:aland@nitros9.org] Sent: July 17, 2006 4:00 PM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: 802.1x with mschap-radius-ldap with ssha-1 passwords "Matt Ashfield" <mda@unb.ca> wrote:
I'm trying to do 802.1x authentication using freeradius against an LDAP directory which stores the userPassword in an ssha-1 hash. My question is, is this possible? If so, how do I configure mschap for ssha-1 passwords?
You don't. It's impossible. Alan DeKok.
Could I do EAP-TTLS using the securew2 client instead?
Yes, that's an option. And since EAP-TTLS is a standard you'll be able to have it work on a variety of clients (MAC OS, Pocket PC + SecureW2, Palm-OS, linux).
Or am I better off creating a 2nd password attribute on the LDAP directory that is maybe encoded as an NT-Password attribute or something like that.
That's another option. But if you choose this one, you'll have to make sure your users change their password through a unique interface that encode the passowrd as both SSHA and NTLM. Personnaly I chose the first solution. Thibault.
"Matt Ashfield" <mda@unb.ca> wrote:
I was afraid you'd say that. What would you suggest as a workaround for this problem? Could I do EAP-TTLS using the securew2 client instead?
Yes.
Or am I better off creating a 2nd password attribute on the LDAP directory that is maybe encoded as an NT-Password attribute or something like that.
That works once everyone changes their password. Alan DeKok.
Hi, I'm going to ask a follow-up questions here so I'll be better equipped to answer the same question from others when I explain that we cannot do 802.1x-PEAP with ssha-1 passwords stored in ldap.
From what I understand, the reason this won't work is because ssha-1 passwords are 1-way encrypted and therefore cannot be decrypted by the radius server for comparison of user credentials. Correct?
I guess the obvious question is why can't the Radius server simply perform a bind attempt to the LDAP server during authentication, as opposed to trying to compare the password received by the authenticator to the ssha-1 password stored in ldap? Thanks Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 mda@unb.ca -----Original Message----- From: aland@nitros9.org [mailto:aland@nitros9.org] Sent: July 17, 2006 7:51 PM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: 802.1x with mschap-radius-ldap with ssha-1 passwords "Matt Ashfield" <mda@unb.ca> wrote:
I was afraid you'd say that. What would you suggest as a workaround for this problem? Could I do EAP-TTLS using the securew2 client instead?
Yes.
Or am I better off creating a 2nd password attribute on the LDAP directory that is maybe encoded as an NT-Password attribute or something like that.
That works once everyone changes their password. Alan DeKok.
Hi,
I guess the obvious question is why can't the Radius server simply perform a bind attempt to the LDAP server during authentication, as opposed to trying to compare the password received by the authenticator to the ssha-1 password stored in ldap?
I guess the obvious answer is that it can only bind if it has the user's password. When using MS-CHAP the password is already hashed when the server gets it, so how could he possibly perform the bind operation? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
I guess the obvious question is why can't the Radius server simply perform a bind attempt to the LDAP server during authentication, as opposed to trying to compare the password received by the authenticator to the ssha-1 password stored in ldap?
Because, in PEAP, the client doesn't send the password in clear text: * the radius server sends a challenge to the client * the client replies with a response to the challenge string: this response is computed from the NTLM hash of the password, the user name, ... This way the radius server doesn't know the cleartext user's password and can't bind to the LDAP server. The radius server can only check that the response to the challenge is correct by recomputing it with its own version of the NTLM hash of the password. See RFC2759: http://tools.ietf.org/html/2759 And http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx HTH, Thibault
"Matt Ashfield" <mda@unb.ca> wrote:
I guess the obvious question is why can't the Radius server simply perform a bind attempt to the LDAP server during authentication, as opposed to trying to compare the password received by the authenticator to the ssha-1 password stored in ldap?
a) you stumbled on something that no one else in the world figured out b) your assumptions are incorrect, and my original response is correct. Choose one. Alan DeKok.
participants (4)
-
Alan DeKok -
Matt Ashfield -
Stefan Winter -
Thibault Le Meur