Any way for ntlm_auth + winbind to not use ms-chap?
I'd like to use some other auth mechanism to pass the user/pass combination to the radius server and have it test there without having to go through the MS-CHAP challenge-response rigmorale. Main reason being getting Perl on the NAS side to manage all the MS-CHAP stuff appears to be a new problem to solve, somehow. How can this be done, and why shouldn't it be? Thanks, Mike
On Thu, Jun 16, 2016 at 11:51:09AM -0700, Mike Ely wrote:
I'd like to use some other auth mechanism to pass the user/pass combination to the radius server and have it test there without having to go through the MS-CHAP challenge-response rigmorale. Main reason being getting Perl on the NAS side to manage all the MS-CHAP stuff appears to be a new problem to solve, somehow.
How can this be done, and why shouldn't it be?
Not sure the question makes much sense. If you're doing MSCHAP then there is a challenge/response by definition. What "other auth mechanism" to pass the user/password to the RADIUS server? That's RADIUS.... If you want to tell FreeRADIUS to do MSCHAP internally and not call ntlm_auth then set control:MS-CHAP-Use-NTLM-Auth := No (see mods-available/mschap). Otherwise, sorry. I don't understand what you're asking. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 06/16/2016 02:36 PM, Matthew Newton wrote:
On Thu, Jun 16, 2016 at 11:51:09AM -0700, Mike Ely wrote: Not sure the question makes much sense. If you're doing MSCHAP then there is a challenge/response by definition. I guess to simplify the question: is it absolutely essential to use MSCHAP when authenticating against winbind, or can a simpler mechanism be used?
On Thu, Jun 16, 2016 at 02:49:52PM -0700, Mike Ely wrote:
On 06/16/2016 02:36 PM, Matthew Newton wrote:
On Thu, Jun 16, 2016 at 11:51:09AM -0700, Mike Ely wrote: Not sure the question makes much sense. If you're doing MSCHAP then there is a challenge/response by definition. I guess to simplify the question: is it absolutely essential to use MSCHAP when authenticating against winbind, or can a simpler mechanism be used?
See mods-available/ntlm_auth. You can send a username and password directly. (If you're living on the bleeding edge, see rlm_winbind in v3.1.x that I committed a week or two ago). Does that help? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 06/16/2016 02:58 PM, Matthew Newton wrote:
See mods-available/ntlm_auth. You can send a username and password directly.
Says to test with pap, but that complains it needs a known good password for the user (and I can't work out how to pass the password to pap as well as ntlm_auth).
On Thu, Jun 16, 2016 at 03:25:32PM -0700, Mike Ely wrote:
On 06/16/2016 02:58 PM, Matthew Newton wrote:
See mods-available/ntlm_auth. You can send a username and password directly.
Says to test with pap, but that complains it needs a known good password for the user (and I can't work out how to pass the password to pap as well as ntlm_auth).
What is your client sending to FreeRADIUS? PAP or MSCHAP? If MSCHAP, then you'll need to use rlm_mschap with either ntlm_auth (configured through the mschap module) or MS-CHAP-Use-NTLM-Auth := No. If PAP, then you can use rlm_pap (Cleartext-Password) or set up ntlm_auth as in the file I mentioned before and not use rlm_pap. You've not really given much information as to what you're actually doing or trying to do, which I'm afraid makes it quite hard to help. Sorry. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 06/16/2016 04:37 PM, Matthew Newton wrote:
What is your client sending to FreeRADIUS? PAP or MSCHAP?
If MSCHAP, then you'll need to use rlm_mschap with either ntlm_auth (configured through the mschap module) or MS-CHAP-Use-NTLM-Auth := No.
If PAP, then you can use rlm_pap (Cleartext-Password) or set up ntlm_auth as in the file I mentioned before and not use rlm_pap.
I'm getting PAP to work directly with ntlm_auth successfully now. The file had only minimal info but the wiki was much better: http://wiki.freeradius.org/guide/NTLM-Auth-with-PAP-HOWTO Ultimately what I've been trying to do is get the client to use Perl to connect to the radius server and authenticate using MSCHAP (or preferably v2). So far my google-fu has failed to find anyone who has done this, which is very surprising.
On 06/16/2016 02:58 PM, Matthew Newton wrote:
On Thu, Jun 16, 2016 at 02:49:52PM -0700, Mike Ely wrote:
I guess to simplify the question: is it absolutely essential to use MSCHAP when authenticating against winbind, or can a simpler mechanism be used? See mods-available/ntlm_auth. You can send a username and password directly.
Or better yet, just use pam/nsswitch to authenticate the user as though it were local and skip ntlm_auth entirely. Dreaded memory leaks aside, does this seem like a plausible course?
On 16/06/16 23:37, Mike Ely wrote:
Or better yet, just use pam/nsswitch to authenticate the user as though it were local and skip ntlm_auth entirely. Dreaded memory leaks aside, does this seem like a plausible course?
PAM sucks. There's no reason to have Freeradius->PAM->winbind when you can just have Freeradius->winbind
On 17 Jun 2016, at 11:27, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
PAM sucks.
That it does. I'm trying reconfigure a dial in VPN to use pam_radius for authentication. Unfortunately, libreswan (the daemon in use) does not support EAP outside of PPP. FreeRADIUS and pam_radius work absolutely fine, but because the user does not exist on the local system (I think) the authentication fails. "Throw it in the bin and use StrongSwan and EAP" is my current favourite solution, but if anyone knows enough pam-fu to make PAM happy without a user having an entry in /etc/passwd you'll be able to save me half a day of work. Bonus: RedHat seem to have compiled their PAM without debug or tracing support. Regards, Adam Bishop gpg: 0x6609D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On Fri, Jun 17, 2016 at 05:39:42PM +0000, Adam Bishop wrote:
On 17 Jun 2016, at 11:27, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
PAM sucks.
That it does. ... "Throw it in the bin and use StrongSwan and EAP" is my current favourite solution
Done that, works well. You're far better off spending a day getting that configured (it's not hard) than using PAM, IMO. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Adam Bishop -
Matthew Newton -
Mike Ely -
Phil Mayers