Hello, I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2? http://deployingradius.com/documents/protocols/compatibility.html Is the above link still up-to-date? Thanks! --- Dennis Xu Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 dxu@uoguelph.ca www.uoguelph.ca/ccs
On 09/03/2014 11:52 AM, Dennis Xu wrote:
Hello,
I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
http://deployingradius.com/documents/protocols/compatibility.html
Is the above link still up-to-date?
Take a look at: http://deployingradius.com/documents/configuration/active_directory.html You need to configure your FreeRADIUS server to use ntlm_auth precisely because FreeRADIUS does not have access to the cleartext passwords of Active Directory users. Cheers, Eloy Paris.-
Thanks. Yes we have to configure FreeRadius server to use ntlm_auth. But my problem is that our AD does not store passwords in NT hash format. They use SHA1 hash or crypt'd format. Dennis ----- Original Message ----- From: "Eloy Paris" <peloy@chapus.net> To: dxu@uoguelph.ca, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 3, 2014 12:01:26 PM Subject: Re: Limitation of authenticating against AD On 09/03/2014 11:52 AM, Dennis Xu wrote:
Hello,
I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
http://deployingradius.com/documents/protocols/compatibility.html
Is the above link still up-to-date?
Take a look at: http://deployingradius.com/documents/configuration/active_directory.html You need to configure your FreeRADIUS server to use ntlm_auth precisely because FreeRADIUS does not have access to the cleartext passwords of Active Directory users. Cheers, Eloy Paris.-
Oh, I am sorry, I missed that important detail. Then you are out of luck, as compatibility.html indicates. Cheers, Eloy Paris.- On 09/03/2014 12:26 PM, Dennis Xu wrote:
Thanks. Yes we have to configure FreeRadius server to use ntlm_auth. But my problem is that our AD does not store passwords in NT hash format. They use SHA1 hash or crypt'd format.
Dennis
----- Original Message ----- From: "Eloy Paris" <peloy@chapus.net> To: dxu@uoguelph.ca, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 3, 2014 12:01:26 PM Subject: Re: Limitation of authenticating against AD
On 09/03/2014 11:52 AM, Dennis Xu wrote:
Hello,
I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
http://deployingradius.com/documents/protocols/compatibility.html
Is the above link still up-to-date?
Take a look at:
http://deployingradius.com/documents/configuration/active_directory.html
You need to configure your FreeRADIUS server to use ntlm_auth precisely because FreeRADIUS does not have access to the cleartext passwords of Active Directory users.
Cheers,
Eloy Paris.-
You mean when you are using it as an LDAP server rather than doing NTLMv2 with it (Linux box bound into the AD) ? Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Thanks. Yes we have to configure FreeRadius server to use ntlm_auth. But my problem is that our AD does not store passwords in NT hash format. They use SHA1 hash or crypt'd format.
Are you SURE that's ActiveDirectory? AD only supports NT Hash and LM Hash. But if you have Active Directory that has its groups pushed to other LDAP servers (like OpenLDAP), then SHA1 is a possibility. If that is the case, try authentication against the REAL domain controller for the domain, not one of the other LDAP instances. You can try binding to the LDAP instance as user, but then you are limited to PAP and its tunnelled versions (via EAP-TTLS or EAP-TTLS/EAP-GTC) as per the compatibility matrix that you referred to. Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
But my problem is that our AD does not store passwords in NT hash format. They use SHA1 hash or crypt'd format.
Bind users to AD as Active Directory is a combo of Kerberos and ldap. It allows ldap bind. Alternatively, you can use EAP-TTLS and Kerberos. Or you can use AD's certificate authority and issue certificates to users and use EAP-TLS to do authentication. Yu -----Original Message----- From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Dennis Xu Sent: Wednesday, September 03, 2014 12:27 PM To: Eloy Paris Cc: FreeRadius users mailing list Subject: Re: Limitation of authenticating against AD Thanks. Yes we have to configure FreeRadius server to use ntlm_auth. But my problem is that our AD does not store passwords in NT hash format. They use SHA1 hash or crypt'd format. Dennis ----- Original Message ----- From: "Eloy Paris" <peloy@chapus.net> To: dxu@uoguelph.ca, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 3, 2014 12:01:26 PM Subject: Re: Limitation of authenticating against AD On 09/03/2014 11:52 AM, Dennis Xu wrote:
Hello,
I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
http://deployingradius.com/documents/protocols/compatibility.html
Is the above link still up-to-date?
Take a look at: http://deployingradius.com/documents/configuration/active_directory.html You need to configure your FreeRADIUS server to use ntlm_auth precisely because FreeRADIUS does not have access to the cleartext passwords of Active Directory users. Cheers, Eloy Paris.- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dennis Xu wrote:
I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
No. AD stores it's passwords in NT-Hash format. And it does NOT allow FreeRADIUS (or anyone) to read those passwords via LDAP.
http://deployingradius.com/documents/protocols/compatibility.html
Is the above link still up-to-date?
Yes. Alan DeKok.
Thanks for the information. So FreeRadius uses LDAP to authenticate against AD and LDAP cannot read the passwords in those formats. Apparently ACS has a different implementation on authenticating against AD that they don't care about the password format stored in AD: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_sy... Dennis ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: dxu@uoguelph.ca, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 3, 2014 12:01:53 PM Subject: Re: Limitation of authenticating against AD Dennis Xu wrote:
I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
No. AD stores it's passwords in NT-Hash format. And it does NOT allow FreeRADIUS (or anyone) to read those passwords via LDAP.
http://deployingradius.com/documents/protocols/compatibility.html
Is the above link still up-to-date?
Yes. Alan DeKok.
On 03-09-14 18:24, Dennis Xu wrote:
Thanks for the information. So FreeRadius uses LDAP to authenticate against AD
That would be an uncommon setup. You can authenticate via the tool ntlm_auth (which uses RPC over SMB, and is kind of limited to Active Directory and Samba), or you proxy the request and enable the RADIUS-server of Active Directory (I believe it was called NPS).
and LDAP cannot read the passwords in those formats.
No, Alan said you cannot read the passwords via LDAP, that has nothing to do with the format of the stored passwords. But you don't need to read the password in order to authenticate.
Apparently ACS has a different implementation on authenticating against AD that they don't care about the password format stored in AD:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_sy...
AD stores NT hashes, they are compatible with MSCHAPv2. -- Herwin Weststrate
Dennis Xu wrote:
Thanks for the information. So FreeRadius uses LDAP to authenticate against AD and LDAP cannot read the passwords in those formats. Apparently ACS has a different implementation on authenticating against AD that they don't care about the password format stored in AD:
ACS has either (a) used the NT domain API, like Samba 3 does. Or (b) used the new AD replication protocol like Samba 4 does. So there's nothing special about ACS. Other than they're Cisco, and can afford ten million dollars to inter-operate with AD. We will NOT be re-writing Samba. The way to interact with AD is Samba. Full stop. No other alternative is possible. Alan DeKok.
participants (7)
-
Alan Buxey -
Alan DeKok -
Dennis Xu -
Eloy Paris -
Herwin Weststrate -
Stefan Paetow -
Wang, Yu