Enterasys Wireless controller with Mgmt user authentication via RADIUS MSCHAP
Hi all, I hope you are all fine. I am deploying a Radius server to authenticate mgmt users of a Enterasys Wireless Controller. The problem is that when I set WLC to authenticate via radius using MSCHAP I get Access-reject. First of all, I keep the radius config files as default and when debugging it I noticed that for some reason radius is trying to authenticate by UNIX Cleartext Password. For PAP authentication it is ok and all works great but not for MSCHAP. Then, I set Auth-type = MSCHAP in "users" config file and here the things changed. The auth now is done by mschap but it is still requesting a clear text password. After that it tries with LM-password / NT-password. I read this article http://deployingradius.com/documents/configuration/active_directory.html But I cant sort out this problem. Is It possible to set Enterasys Wireless controller to authenticate mgmt users via MSCHAP Radius??? Can it be done without LM-password or NT-password? Sorry for that, but It is getting me crazy. I kindly request you for help. Thanks in advance. BR. -- Alan Alejandro Villaverde. ,JL. j@, Zv uJ.u@qJ :LBO:v1 :r1@ MB G1 rB8Ur , r@Ei O .7 @. :N,:BBO05v,:, :7 u Or vM@r:E: rqr,: .v X Or 7@r v@U ,@::: 5 .L M: YO:2@OS. . .7: N iP Y@riBr ,:i::: :q ,q. qk :ii YO. iv7r77r iGF :7v7 :u0u. 7Lj ;5k1r7BN 7P552552v: LUM1, 7FUi:..v@B ik7JMJ. ..,v@rk. _..._ Y8. vL: .5@v E. .' '. ui,N: .G.O@: @ / _ _ \ .P: J7LEBO Bi | (o)_(o) | .1 i@B7 .MU \( ) / 2 :M@u .uMi //'._.'\ \ :k :U@BOi:vSM2B // . \ \ 7E@B@B@O8PrMk ;B || . \ \ @: @r |\ : / | EM. ;@ \ `) ' (` /_ .B7 0L _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB@B@B@ ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB@B@B@B@B@B@ '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO@B@B@B@B@@@B@B@B@B :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ...
Alan Alejandro Villaverde wrote:
The problem is that when I set WLC to authenticate via radius using MSCHAP I get Access-reject.
Read the debug output to see why. This is suggested in the FAQ, "man" page, web pages, and daily on this list.
First of all, I keep the radius config files as default and when debugging it I noticed that for some reason radius is trying to authenticate by UNIX Cleartext Password.
I don't know what that means.
For PAP authentication it is ok and all works great but not for MSCHAP.
Then, I set Auth-type = MSCHAP in "users" config file
Don't do that. It will break things. It's not necessary.
and here the things changed. The auth now is done by mschap but it is still requesting a clear text password. After that it tries with LM-password / NT-password.
Well, no, it doesn't. The debug output doesn't say that.
I read this article http://deployingradius.com/documents/configuration/active_directory.html
But I cant sort out this problem.
Put a user && Cleartext-Password into the "users" file. It will work.
Is It possible to set Enterasys Wireless controller to authenticate mgmt users via MSCHAP Radius???
Yes.
Can it be done without LM-password or NT-password?
Yes. Alan DeKok.
Hi Alan, Thx for your quick feedback! I finally got it working. I get it work setting Cleartext-Password into the users files as you explained to me.But, is it possible to use PAM with MSCHAP? what about with a lot of users? I read the FAQ, but I am not sure about how to make it works with MSCHAP and PAM. Could you give me a clue? For instance, I know that when I use PAP authentication, the password travels in plain text. When it arrives to radius server it is verify by unix authentication. On Oct 29, 2014 4:36 PM, "Alan DeKok" <aland@deployingradius.com> wrote:
Alan Alejandro Villaverde wrote:
The problem is that when I set WLC to authenticate via radius using MSCHAP I get Access-reject.
Read the debug output to see why. This is suggested in the FAQ, "man" page, web pages, and daily on this list.
First of all, I keep the radius config files as default and when debugging it I noticed that for some reason radius is trying to authenticate by UNIX Cleartext Password.
I don't know what that means.
For PAP authentication it is ok and all works great but not for MSCHAP.
Then, I set Auth-type = MSCHAP in "users" config file
Don't do that. It will break things. It's not necessary.
and here the things changed. The auth now is done by mschap but it is still requesting a clear text password. After that it tries with LM-password / NT-password.
Well, no, it doesn't. The debug output doesn't say that.
I read this article http://deployingradius.com/documents/configuration/active_directory.html
But I cant sort out this problem.
Put a user && Cleartext-Password into the "users" file. It will work.
Is It possible to set Enterasys Wireless controller to authenticate mgmt users via MSCHAP Radius???
Yes.
Can it be done without LM-password or NT-password?
Yes.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 29 Oct 2014, at 18:16, Alan Alejandro Villaverde <alan.villaverde@gmail.com> wrote:
Hi Alan,
Thx for your quick feedback!
I finally got it working. I get it work setting Cleartext-Password into the users files as you explained to me.But, is it possible to use PAM with MSCHAP? what about with a lot of users? I read the FAQ, but I am not sure about how to make it works with MSCHAP and PAM.
No.
Could you give me a clue?
PAM and MSCHAP won't work. If you're authenticating using PAM you need the Cleartext-Password available which you don't have with MSCHAP. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
The only way I found to make it works is setting the following lines in the user file: vi users: avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456" It works, but how do you handle 1000 users for example? It turns very difficult to manage the user passwords. For instance, if the user change the password in the linux box, then you need to edit the users file to replicate that password. I have running tacacs+ in the same box, and the user only has to use an unique password for radius and tacacs defined by passwd. I am using PAM authentication for this. On the other hand, If I work with PAP I can handle the users like a Linux user, so the managament is easier and it depends on the final user. The user can access the linux box and change his password with a simple passwd and all is replicated for tacacs and freeradius. It is the way how is working today, but I was requested to set MSCHAP authentication due to security audits. When user try to access wireless controller, he puts his password and then radius checks the password with the passwd file or shadow file without any necesity of "editing radius users file" I think I am missing something regarding how to set MSCHAP authentication, and that radius checks the password without using Cleartext-Password in the USERS file. I dont know if I am clear enough for you. Sorry for my poor english. 2014-10-29 19:27 GMT-03:00 Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
On 29 Oct 2014, at 18:16, Alan Alejandro Villaverde < alan.villaverde@gmail.com> wrote:
Hi Alan,
Thx for your quick feedback!
I finally got it working. I get it work setting Cleartext-Password into the users files as you explained to me.But, is it possible to use PAM with MSCHAP? what about with a lot of users? I read the FAQ, but I am not sure about how to make it works with MSCHAP and PAM.
No.
Could you give me a clue?
PAM and MSCHAP won't work. If you're authenticating using PAM you need the Cleartext-Password available which you don't have with MSCHAP.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alan Alejandro Villaverde. ,JL. j@, Zv uJ.u@qJ :LBO:v1 :r1@ MB G1 rB8Ur , r@Ei O .7 @. :N,:BBO05v,:, :7 u Or vM@r:E: rqr,: .v X Or 7@r v@U ,@::: 5 .L M: YO:2@OS. . .7: N iP Y@riBr ,:i::: :q ,q. qk :ii YO. iv7r77r iGF :7v7 :u0u. 7Lj ;5k1r7BN 7P552552v: LUM1, 7FUi:..v@B ik7JMJ. ..,v@rk. _..._ Y8. vL: .5@v E. .' '. ui,N: .G.O@: @ / _ _ \ .P: J7LEBO Bi | (o)_(o) | .1 i@B7 .MU \( ) / 2 :M@u .uMi //'._.'\ \ :k :U@BOi:vSM2B // . \ \ 7E@B@B@O8PrMk ;B || . \ \ @: @r |\ : / | EM. ;@ \ `) ' (` /_ .B7 0L _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB@B@B@ ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB@B@B@B@B@B@ '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO@B@B@B@B@@@B@B@B@B :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ...
Alan Alejandro Villaverde wrote:
The only way I found to make it works is setting the following lines in the user file:
vi users:
avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"
Don't do that. You were told to not do that. It's not necessary. It's wrong.
It works, but how do you handle 1000 users for example? It turns very difficult to manage the user passwords.
You put the passwords in a database. That's what databases are for,
For instance, if the user change the password in the linux box, then you need to edit the users file to replicate that password.
i.e. you store the passwords in 2 places, so when the password changes, it has to be changed in both places. That's not a surprise.
I have running tacacs+ in the same box, and the user only has to use an unique password for radius and tacacs defined by passwd. I am using PAM authentication for this.
I have no idea what that means.
On the other hand, If I work with PAP I can handle the users like a Linux user, so the managament is easier and it depends on the final user. The user can access the linux box and change his password with a simple passwd and all is replicated for tacacs and freeradius. It is the way how is working today, but I was requested to set MSCHAP authentication due to security audits.
MS-CHAP isn't much more secure than PAP.
When user try to access wireless controller, he puts his password and then radius checks the password with the passwd file or shadow file without any necesity of "editing radius users file"
MS-CHAP is incompatible with /etc/passwd. It's impossible to use them both.
I think I am missing something regarding how to set MSCHAP authentication, and that radius checks the password without using Cleartext-Password in the USERS file.
The server doesn't care where it gets the password from. It doesn't matter if it's the "users" file, a database, or anywhere else. The server DOES care about the format of the password. MS-CHAP requires clear-text passwords, *or* NT hashed passwords. Neither format can be stored in /etc/passwd. It's impossible to "work around" this. Don't even try. Alan DeKok.
Understood! Thanks for your support and time guys! 2014-10-30 11:49 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
Alan Alejandro Villaverde wrote:
The only way I found to make it works is setting the following lines in the user file:
vi users:
avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"
Don't do that. You were told to not do that. It's not necessary. It's wrong.
It works, but how do you handle 1000 users for example? It turns very difficult to manage the user passwords.
You put the passwords in a database. That's what databases are for,
For instance, if the user change the password in the linux box, then you need to edit the users file to replicate that password.
i.e. you store the passwords in 2 places, so when the password changes, it has to be changed in both places.
That's not a surprise.
I have running tacacs+ in the same box, and the user only has to use an unique password for radius and tacacs defined by passwd. I am using PAM authentication for this.
I have no idea what that means.
On the other hand, If I work with PAP I can handle the users like a Linux user, so the managament is easier and it depends on the final user. The user can access the linux box and change his password with a simple passwd and all is replicated for tacacs and freeradius. It is the way how is working today, but I was requested to set MSCHAP authentication due to security audits.
MS-CHAP isn't much more secure than PAP.
When user try to access wireless controller, he puts his password and then radius checks the password with the passwd file or shadow file without any necesity of "editing radius users file"
MS-CHAP is incompatible with /etc/passwd. It's impossible to use them both.
I think I am missing something regarding how to set MSCHAP authentication, and that radius checks the password without using Cleartext-Password in the USERS file.
The server doesn't care where it gets the password from. It doesn't matter if it's the "users" file, a database, or anywhere else.
The server DOES care about the format of the password. MS-CHAP requires clear-text passwords, *or* NT hashed passwords. Neither format can be stored in /etc/passwd.
It's impossible to "work around" this. Don't even try.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alan Alejandro Villaverde. ,JL. j@, Zv uJ.u@qJ :LBO:v1 :r1@ MB G1 rB8Ur , r@Ei O .7 @. :N,:BBO05v,:, :7 u Or vM@r:E: rqr,: .v X Or 7@r v@U ,@::: 5 .L M: YO:2@OS. . .7: N iP Y@riBr ,:i::: :q ,q. qk :ii YO. iv7r77r iGF :7v7 :u0u. 7Lj ;5k1r7BN 7P552552v: LUM1, 7FUi:..v@B ik7JMJ. ..,v@rk. _..._ Y8. vL: .5@v E. .' '. ui,N: .G.O@: @ / _ _ \ .P: J7LEBO Bi | (o)_(o) | .1 i@B7 .MU \( ) / 2 :M@u .uMi //'._.'\ \ :k :U@BOi:vSM2B // . \ \ 7E@B@B@O8PrMk ;B || . \ \ @: @r |\ : / | EM. ;@ \ `) ' (` /_ .B7 0L _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB@B@B@ ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB@B@B@B@B@B@ '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO@B@B@B@B@@@B@B@B@B :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ...
participants (3)
-
Alan Alejandro Villaverde -
Alan DeKok -
Arran Cudbard-Bell