pam_radius_auth.so authentication algorithm
Hello, I want to setup a centralized authentication on all my Linux servers. To do so, I'am trying to setup Radius authentication on a Windows Active Directory (with the NPS role) using the PAM module pam_radius_auth.so https://freeradius.org/sub_projects/. The authentication works, however, the NPS (Radius Server) is complaining about the authentication method used by pam_radius_auth.so. It says that the client is using PAP insecure PAP protocol. I didn't find any parameter on the module documentation <https://github.com/FreeRADIUS/pam_radius> to change this behavior. Does pam_radius_auth.so support other secure protocol like CHAP ? Thanks in advance for your help. Best Regards,
On Oct 20, 2017, at 10:42 AM, Oussama BOUNAIM <o.bounaim@gmail.com> wrote:
The authentication works, however, the NPS (Radius Server) is complaining about the authentication method used by pam_radius_auth.so. It says that the client is using PAP insecure PAP protocol.
That's a stupid complaint.
I didn't find any parameter on the module documentation <https://github.com/FreeRADIUS/pam_radius> to change this behavior. Does pam_radius_auth.so support other secure protocol like CHAP ?
CHAP isn't more secure, unfortunately. And neither is MS-CHAP. Ignore the message, NPS is lying to you. Alan DeKok.
Thanks Alan :) I have done a tcpdump capture and the username is sent in clear with what it seems to be a simple MD5 hash of the password. What do you mean by "NPS is lying to you". Is it completely safe to use the module ? Thanks in advance On Fri, Oct 20, 2017 at 4:45 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 20, 2017, at 10:42 AM, Oussama BOUNAIM <o.bounaim@gmail.com> wrote:
The authentication works, however, the NPS (Radius Server) is complaining about the authentication method used by pam_radius_auth.so. It says that the client is using PAP insecure PAP protocol.
That's a stupid complaint.
I didn't find any parameter on the module documentation <https://github.com/FreeRADIUS/pam_radius> to change this behavior. Does pam_radius_auth.so support other secure protocol like CHAP ?
CHAP isn't more secure, unfortunately. And neither is MS-CHAP.
Ignore the message, NPS is lying to you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Oct 20, 2017, at 11:20 AM, Oussama BOUNAIM <o.bounaim@gmail.com> wrote:
I have done a tcpdump capture and the username is sent in clear with what it seems to be a simple MD5 hash of the password.
Read RFC 2865 to see how RADIUS works.
What do you mean by "NPS is lying to you". Is it completely safe to use the module ?
Yes. Alan Dekok.
How about using winbind authentication? Eero 2017-10-20 17:42 GMT+03:00 Oussama BOUNAIM <o.bounaim@gmail.com>:
Hello,
I want to setup a centralized authentication on all my Linux servers. To do so, I'am trying to setup Radius authentication on a Windows Active Directory (with the NPS role) using the PAM module pam_radius_auth.so https://freeradius.org/sub_projects/.
The authentication works, however, the NPS (Radius Server) is complaining about the authentication method used by pam_radius_auth.so. It says that the client is using PAP insecure PAP protocol.
I didn't find any parameter on the module documentation <https://github.com/FreeRADIUS/pam_radius> to change this behavior. Does pam_radius_auth.so support other secure protocol like CHAP ?
Thanks in advance for your help.
Best Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (3)
-
Alan DeKok -
Eero Volotinen -
Oussama BOUNAIM