Dear FreeRadius-users, I have a cisco VPN concentrator, which uses radius (Currently ACS) also a WLAN controller, again using radius, again currently ACS. I'll use PAP (ldap auth) from the VPN concentrator but mschapv2 from the wireless, as it'll go through a peap or eap-tls tunnel. I have NT and LM hashes already in the LDAP, I just need to extract them... Could I get a pointers on how I command the right auth type for the right device. And how I get the nt/lm hashes from ldap and do mschapv2.. Cheers Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 07776 210516
Rob Shepherd <rob@techniumcast.com> wrote:
I'll use PAP (ldap auth)
Please don't. It makes everything harder. LDAP is a database, not an authentication server. Have the server read the clear-text password from LDAP, and the server will figure out how to authenticate the user. Remove "ldap" from the "authenticate" section. It's just not necessary.
from the VPN concentrator but mschapv2 from the wireless, as it'll go through a peap or eap-tls tunnel. I have NT and LM hashes already in the LDAP, I just need to extract them...
See ldap.attrmap.
Could I get a pointers on how I command the right auth type for the right device.
You don't. You supply the server with passwords, and it figure out what to do.
And how I get the nt/lm hashes from ldap and do mschapv2..
ldap.attrmap, and the server will figure out what to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Rob Shepherd <rob@techniumcast.com> wrote:
I'll use PAP (ldap auth)
Please don't. It makes everything harder.
OK.
LDAP is a database, not an authentication server. Have the server read the clear-text password from LDAP, and the server will figure out how to authenticate the user. Remove "ldap" from the "authenticate" section. It's just not necessary.
No clear-text is stored in LDAP. I have MD5 in userPassword and the two samba hashes. The cisco kit, VPN concentrator and switches etc, supply a clear text password at radius. I figured my only option was to PAP-to-LDAP. Is there an alternative for this situation?
from the VPN concentrator but mschapv2 from the wireless, as it'll go through a peap or eap-tls tunnel. I have NT and LM hashes already in the LDAP, I just need to extract them...
And how I get the nt/lm hashes from ldap and do mschapv2..
ldap.attrmap, and the server will figure out what to do.
Thanks. -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 07776 210516
Rob Shepherd wrote:
No clear-text is stored in LDAP. I have MD5 in userPassword and the two samba hashes. The cisco kit, VPN concentrator and switches etc, supply a clear text password at radius. I figured my only option was to PAP-to-LDAP.
Is there an alternative for this situation?
Use an instance of the "pap" module with "encryption_scheme = nt" modules { pap nthashpap { encryption_scheme = nt } } authorize { preprocess files } authenticate { Auth-Type PAP { nthashpap } } ...however, you will need: DEFAULT Auth-Type := PAP ...somewhere, since the PAP module in 1.1.0 (and I think all non-CVS versions?) does not (irritatingly) set Auth-Type to PAP, and cannot even run in the authorize section. Newer versions of the server (CVS) will both auto-detect "{type}hash" type prefixes in values *and* set the auth-type so you can just do: modules { pap { auto_header = yes } } authorize { preprocess pap ldap } authenticate { Auth-Type PAP { pap } }
I would like to only log failed auth attempts not successful. Does anyone know a way to do this?
participants (4)
-
Alan DeKok -
Mark Jones -
Phil Mayers -
Rob Shepherd