Yet another PEAP/LDAP Question
Hello all: I am trying to setup a 802.1x WiFi authentication system using freeradius. My setup is as follows: Windows XP SP2 as the supplicant using PEAP/MSCHAPv2 Cisco Aironet 1231 Freeradius 1.1.0 IBM Lotus Domino LDAP The process is mostly working - Freeradius binds to LDAP properly, the User gets authorized, Freeradius pulls the correct password hash from the Domino LDAP server.. But, then the MSCHAP portion fails. Portion of the log is shown below which I believe shows the problem. I am thinking that the problem is that I am not telling Freeradius how to hash the supplied password correctly to match the Domino password. The aggravating part is that we are using the exact same Domino LDAP server to authenticate our VPN users. Full (sanatized) copy of the debug output is here: http://www.xbytenetworks.com/debug-log.txt Copy of Radiusd.conf is here: http://www.xbytenetworks.com/radiusd.conf Thanks in advance for any help you can offer. Jon rlm_ldap: - authorize rlm_ldap: performing user authorization for jon.giza radius_xlat: '(uid=jon.giza)' radius_xlat: 'OU=Waukesha,OU=NA,O=MyCo' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Waukesha,OU=NA,O=MyCo, with filter (uid=jon.giza) rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jon.giza authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 5 rlm_mschap: Told to do MS-CHAPv2 for jon.giza with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: leaving group MS-CHAP (returns reject) for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: leaving group authenticate (returns reject) for request 5 auth: Failed to validate the user. Login incorrect: [jon.giza/<no User-Password attribute>] (from client wifi.myco.com port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 152 to 10.100.224.235 port 1645 EAP-Message = 0x010800261900170301001b1bb3ec40925325e30990ce3b14a78af7abc1f7222d06716740d2 ff Message-Authenticator = 0x00000000000000000000000000000000 State = 0x132496908cd3121e6967d7ddafcdd795 Finished request 5
Jon P. Giza wrote:
Hello all:
I am trying to setup a 802.1x WiFi authentication system using freeradius. My setup is as follows:
Windows XP SP2 as the supplicant using PEAP/MSCHAPv2 Cisco Aironet 1231 Freeradius 1.1.0 IBM Lotus Domino LDAP
The process is mostly working - Freeradius binds to LDAP properly, the User gets authorized, Freeradius pulls the correct password hash from the Domino LDAP server.. But, then the MSCHAP portion fails. Portion of the log is shown below which I believe shows the problem.
I am thinking that the problem is that I am not telling Freeradius how to hash the supplied password correctly to match the Domino password. The aggravating part is that we are using the exact same Domino LDAP server to authenticate our VPN users.
That's only relevant if the VPN is using MS-CHAP to authenticate, and even then only if it's doing it by extracting the hash as opposed to "some other" method.
Full (sanatized) copy of the debug output is here: http://www.xbytenetworks.com/debug-log.txt Copy of Radiusd.conf is here: http://www.xbytenetworks.com/radiusd.conf
Thanks in advance for any help you can offer.
Jon
rlm_ldap: - authorize rlm_ldap: performing user authorization for jon.giza radius_xlat: '(uid=jon.giza)' radius_xlat: 'OU=Waukesha,OU=NA,O=MyCo' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Waukesha,OU=NA,O=MyCo, with filter (uid=jon.giza) rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check items
That looks like the right format to be an NT hash. However, the default radiusd.conf (and yours) says: # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. Having said that, I don't see any evidence of this so-called "figuring out" in the rlm_ldap source code - it looks to me like it does this: if password_attribute: val = ldap_result_attr(password_attribute) if password_header: if val.startswith(password_header): val = val.remove(password_header) else: error("no password header found") check_items.add("Password", val) i.e. a straight copy to User-Password with optional removal of a {type} header What you want to do is get the NT hash into the "NT-Password" attribute, which you normally do in the ldap.attrmap section. By default this is setup to do this: checkItem LM-Password lmPassword checkItem NT-Password ntPassword ...but from the looks of it your LDAP has the NT hash unadorned in the "userPassword" attribute. So, comment out "password_attribute" in the LDAP module, and set this in the ldap.attrmap file: checkItem NT-Password userPassword
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jon.giza authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 5 rlm_mschap: Told to do MS-CHAPv2 for jon.giza with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: leaving group MS-CHAP (returns reject) for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: leaving group authenticate (returns reject) for request 5 auth: Failed to validate the user. Login incorrect: [jon.giza/<no User-Password attribute>] (from client wifi.myco.com port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 152 to 10.100.224.235 port 1645 EAP-Message = 0x010800261900170301001b1bb3ec40925325e30990ce3b14a78af7abc1f7222d06716740d2 ff Message-Authenticator = 0x00000000000000000000000000000000 State = 0x132496908cd3121e6967d7ddafcdd795 Finished request 5
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil: I have made the suggested changes, and new debug's below: rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as NT-Password, value ( & op=21 rlm_ldap: looking for reply items in directory... ... modcall: entering group MS-CHAP for request 5 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Invalid NT-Password rlm_mschap: Told to do MS-CHAPv2 for jon.giza with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 I tried the same update with LM-Password, with the same results. Is the response saying that the supplied password is invalid, or the ldap stored password? Thanks JPG
-----Original Message----- From: freeradius-users-bounces+jon=xbytenetworks.com@lists.freeradius.org [mailto:freeradius-users- bounces+jon=xbytenetworks.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, January 25, 2006 10:39 AM To: FreeRadius users mailing list Subject: Re: Yet another PEAP/LDAP Question
Jon P. Giza wrote:
Hello all:
I am trying to setup a 802.1x WiFi authentication system using freeradius. My setup is as follows:
Windows XP SP2 as the supplicant using PEAP/MSCHAPv2 Cisco Aironet 1231 Freeradius 1.1.0 IBM Lotus Domino LDAP
The process is mostly working - Freeradius binds to LDAP properly, the User gets authorized, Freeradius pulls the correct password hash from the Domino LDAP server.. But, then the MSCHAP portion fails. Portion of the log is shown below which I believe shows the problem.
I am thinking that the problem is that I am not telling Freeradius how to hash the supplied password correctly to match the Domino password. The aggravating part is that we are using the exact same Domino LDAP server to authenticate our VPN users.
That's only relevant if the VPN is using MS-CHAP to authenticate, and even then only if it's doing it by extracting the hash as opposed to "some other" method.
Full (sanatized) copy of the debug output is here: http://www.xbytenetworks.com/debug-log.txt Copy of Radiusd.conf is here: http://www.xbytenetworks.com/radiusd.conf
Thanks in advance for any help you can offer.
Jon
rlm_ldap: - authorize rlm_ldap: performing user authorization for jon.giza radius_xlat: '(uid=jon.giza)' radius_xlat: 'OU=Waukesha,OU=NA,O=MyCo' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Waukesha,OU=NA,O=MyCo, with filter (uid=jon.giza) rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check
items
That looks like the right format to be an NT hash. However, the default radiusd.conf (and yours) says:
# NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too.
Having said that, I don't see any evidence of this so-called "figuring out" in the rlm_ldap source code - it looks to me like it does this:
if password_attribute: val = ldap_result_attr(password_attribute) if password_header: if val.startswith(password_header): val = val.remove(password_header) else: error("no password header found") check_items.add("Password", val)
i.e. a straight copy to User-Password with optional removal of a {type} header
What you want to do is get the NT hash into the "NT-Password" attribute, which you normally do in the ldap.attrmap section. By default this is setup to do this:
checkItem LM-Password lmPassword checkItem NT-Password ntPassword
...but from the looks of it your LDAP has the NT hash unadorned in the "userPassword" attribute. So, comment out "password_attribute" in the LDAP module, and set this in the ldap.attrmap file:
checkItem NT-Password userPassword
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jon.giza authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 5 rlm_mschap: Told to do MS-CHAPv2 for jon.giza with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: leaving group MS-CHAP (returns reject) for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: leaving group authenticate (returns reject) for request 5 auth: Failed to validate the user. Login incorrect: [jon.giza/<no User-Password attribute>] (from client wifi.myco.com port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 152 to 10.100.224.235 port 1645 EAP-Message =
0x010800261900170301001b1bb3ec40925325e30990ce3b14a78af7abc1f7222d06716740 d2
ff Message-Authenticator = 0x00000000000000000000000000000000 State = 0x132496908cd3121e6967d7ddafcdd795 Finished request 5
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jon P. Giza wrote:
Phil:
I have made the suggested changes, and new debug's below:
rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as NT-Password, value ( & op=21 rlm_ldap: looking for reply items in directory... ... modcall: entering group MS-CHAP for request 5 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Invalid NT-Password
The bit of code that generates this error checks for a length of 16 bytes (the actual bytes) or 32 (un-prefixed hex-encoded, in which case it decodes it). Therefore the userPassword attribute must be something other than the form: 0123456789abcdef0123456789abcdef Your original debug log showed: rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check items ...and from the looks of the rlm_ldap code those brackets '()' are part of the data in the LDAP server, not part of the message print out function. Quite why you'd wrap an ntPassword in round brackets I don't know, but you'll need to remove them somehow.
I doubt it will be possible to remove that. Is it possible to authenticate to this ldap database in another way? I thought I had read of a way to bind to the ldap server as the user we are trying to authenticate, but I can not find any good info on this. Thanks again for your help. JPG
-----Original Message----- From: freeradius-users-bounces+jon=xbytenetworks.com@lists.freeradius.org [mailto:freeradius-users- bounces+jon=xbytenetworks.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, January 25, 2006 11:45 AM To: FreeRadius users mailing list Subject: Re: Yet another PEAP/LDAP Question
Jon P. Giza wrote:
Phil:
I have made the suggested changes, and new debug's below:
rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as NT-Password, value ( & op=21 rlm_ldap: looking for reply items in directory... ... modcall: entering group MS-CHAP for request 5 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Invalid NT-Password
The bit of code that generates this error checks for a length of 16 bytes (the actual bytes) or 32 (un-prefixed hex-encoded, in which case it decodes it). Therefore the userPassword attribute must be something other than the form:
0123456789abcdef0123456789abcdef
Your original debug log showed:
rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check items
...and from the looks of the rlm_ldap code those brackets '()' are part of the data in the LDAP server, not part of the message print out function.
Quite why you'd wrap an ntPassword in round brackets I don't know, but you'll need to remove them somehow. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jon P. Giza wrote:
I doubt it will be possible to remove that. Is it possible to authenticate
You can't unfortunately use attr_rewrite or the "users" file to manipulate "config" AVPs. You may be able to use the exec module to do so: modules { exec stripnonhex { wait = yes input_pairs = config output_pairs = config program = "/path/to/stripnonhex.sh" } } ...with "stripnonhex.sh" being pretty simple: #!/bin/sh newnt=`echo $NT_PASSWORD | perl -pe 's/[^[:xdigit:]]//g'` echo "NT-Password := $newnt" ...now I'm not certain that the exec module parses the output in exactly that way, namely whether the NT-Password that the exec module emits will overwrite the existing one in "config" items, or whether the ":=" does nothing in this context, so test it first. If it doesn't work you may have to map the ldap to Bad-NT-Password or something and change the script to read BAD_NT_PASSWORD. Failing that, you could patch rlm_mschap - in my 1.0.5 source tree, the relevant lines are ~1056, where you'd need to loosen the 32 character check: 1054 if (nt_password) { 1055 if ((nt_password->length == 16) || 1056 ((nt_password->length == 32) && change to: 1054 if (nt_password) { 1055 if ((nt_password->length == 16) || 1056 ((nt_password->length >= 32) && ...and the hex2bin function further up to ignore rather than exit on non-hex characters: 73 int i; 74 75 for (i = 0; i < len; i++) { 76 if( !(SOMESTUFF) || 77 !(SOMESTUFF)) 78 break; 79 szBin[i] = ((c1-letters)<<4) + (c2-letters); ...change that to: 73 int i,j; 74 75 for (i = 0, j = 0; i < len; i++) { 76 if( !(SOMESTUFF) || 77 !(SOMESTUFF)) 78 continue; 79 szBin[j++] = ((c1-letters)<<4) + (c2-letters); As always, no warranty it might eat your cat etc.
to this ldap database in another way? I thought I had read of a way to bind to the ldap server as the user we are trying to authenticate, but I can not find any good info on this.
You can do that, but since an ldap simple bind requires the plaintext password it only works with PAP requests, not MS-CHAP.
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
# Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too.
Having said that, I don't see any evidence of this so-called "figuring out" in the rlm_ldap source code - it looks to me like it does this:
That "figuring it out" is in the MSCHAP module. The comments in the LDAP config are wrong, and should be deleted.
i.e. a straight copy to User-Password with optional removal of a {type} header
This is fixed in the CVS head. Alan DeKok.
participants (3)
-
Alan DeKok -
Jon P. Giza -
Phil Mayers