FreeRADIUS without Universal Password
Is there a way to integrate FreeRADIUS without having to use the universal password in Novell? Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687
In a word no. The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/modified by ldap as userpassword but cannot be returned in an ldap search. Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius. Mearl
-----Original Message----- From: freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password
Is there a way to integrate FreeRADIUS without having to use the universal password in Novell?
Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Thanks Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 On Feb 4, 2009, at 6:15 PM, Danner, Mearl wrote:
In a word no.
The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search.
Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius.
Mearl
-----Original Message----- From: freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password
Is there a way to integrate FreeRADIUS without having to use the universal password in Novell?
Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have no idea. You'll need to ask them. Mearl
-----Original Message----- From: freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 5:45 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS without Universal Password
Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Thanks
Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687
On Feb 4, 2009, at 6:15 PM, Danner, Mearl wrote:
In a word no.
The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search.
Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius.
Mearl
-----Original Message----- From: freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password
Is there a way to integrate FreeRADIUS without having to use the universal password in Novell?
Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You could just use BorderManager or whatever the new iteration of it is called. On Wed, Feb 4, 2009 at 8:33 PM, Danner, Mearl <jmdanner@samford.edu> wrote:
I have no idea. You'll need to ask them.
Mearl
-----Original Message----- From: freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 5:45 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS without Universal Password
Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Thanks
Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687
On Feb 4, 2009, at 6:15 PM, Danner, Mearl wrote:
In a word no.
The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search.
Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius.
Mearl
-----Original Message----- From: freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password
Is there a way to integrate FreeRADIUS without having to use the universal password in Novell?
Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jason C Brown wrote:
Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well?
Please read this explanation again:
The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/modified by ldap as userpassword but cannot be returned in an ldap search.
The password can't be seen by *any* RADIUS server until it's stored as a Universal password. This is a limitation of Novell's LDAP server, and applies to all LDAP clients, whether they are RADIUS servers, command-line clients, web servers, or anything else. Alan DeKok.
I had to ask, I have people telling me that this is a limitation of only FreeRADIUS and not all RADIUS servers in general. There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP. Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 On Feb 5, 2009, at 1:48 AM, Alan DeKok wrote:
Jason C Brown wrote:
Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well?
Please read this explanation again:
The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search.
The password can't be seen by *any* RADIUS server until it's stored as a Universal password.
This is a limitation of Novell's LDAP server, and applies to all LDAP clients, whether they are RADIUS servers, command-line clients, web servers, or anything else.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I had to ask, I have people telling me that this is a limitation of only FreeRADIUS and not all RADIUS servers in general. There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP.
you *might& be able to encrypt it - it'll still have to be in the same place etc - then you might be able to use the auto-handle features of FreeRADIUS for it to decrypt the password to something suitable. never tried, but sounds feasible. the record would/may(?) have to start with the encryption flavour used eg {SHA256} or somesuch alan
* A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> [Thu, 5 Feb 2009 16:52:36 +0000]:
I had to ask, I have people telling me that this is a limitation of only FreeRADIUS and not all RADIUS servers in general. There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP.
you *might& be able to encrypt it - it'll still have to be in the same place etc - then you might be able to use the auto-handle features of FreeRADIUS for it to decrypt the password to something suitable. never tried, but sounds feasible. the record would/may(?) have to start with the encryption flavour used eg {SHA256} or somesuch
A shared secret would need to be known by both parties (or to have some public key infrastructure in place) for encryption/decryption to work. If you have a shared secret between already then there hardly is any point. This is where EAP-TTLS steps in to save the day, effectively SSL for RADIUS/EAP. <nitpick> hash != encryption </nitpick> You can use hashes to provide authenticity of a chunk of data (HMAC's). To encrypt that's where AES, Blowfish and such step in and for those to work you need a key, which means you need a shared secret between you and the client; which in a round about way defeats the point of the authentication. 'Other' RADIUS servers, I am almost certain, just do a bog standard LDAP bind[1] and work on from there. Cheers [1] use the plaintext password and authenticate pretending to be an LDAP client using the users credentials; identical to how you would use ldap(search|modify|add|kitchensink) with credentials -- Alexander Clouter .sigmonster says: Graduate life: It's not just a job. It's an indenture.
Jason C Brown wrote:
I had to ask, I have people telling me that this is a limitation of only FreeRADIUS and not all RADIUS servers in general.
Novell's Border Manager likely doesn't need the UP, simply because it uses secret Novell API's. Everyone else uses Universal passwords. *Everyone*.
There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP.
Storing the UP in clear text isn't a security issue. Really. Alan DeKok.
* Alan DeKok <aland@deployingradius.com> [Thu, 05 Feb 2009 18:35:58 +0100]:
There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP.
Storing the UP in clear text isn't a security issue. Really.
I have always considered it more of a problem that the users know the password :) Cheers -- Alexander Clouter .sigmonster says: You display the wonderful traits of charm and courtesy.
Universal Password is encrypted. It's attribute name is npsmDistributionPassword I believe. As a further protection it is only readable by admin roles. You'll have to set up freeradius to bind with such a login and get the password and decrypt it. That function has been in freeradius for quite a while. That process will give freeradius (internally) a cleartext password to use for mschapv2. We moved to all M$ products a while back, but used freeradius against eDirectory for a couple of years before we moved to all Windows servers. It was low maintenance and worked well for us. The only issue was the moving auth target that M$ eap clients presented us. That's why we use IAS presently. At least when it breaks it's their fault. Mearl
-----Original Message----- From: freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Thursday, February 05, 2009 10:45 AM To: FreeRadius users mailing list Subject: Re: FreeRADIUS without Universal Password
I had to ask, I have people telling me that this is a limitation of only FreeRADIUS and not all RADIUS servers in general. There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP.
Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687
On Feb 5, 2009, at 1:48 AM, Alan DeKok wrote:
Jason C Brown wrote:
Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well?
Please read this explanation again:
The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search.
The password can't be seen by *any* RADIUS server until it's stored as a Universal password.
This is a limitation of Novell's LDAP server, and applies to all LDAP clients, whether they are RADIUS servers, command-line clients, web servers, or anything else.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
* Jason C Brown <jasonbrown@ferris.edu> [Wed, 4 Feb 2009 17:41:49 -0500]:
Is there a way to integrate FreeRADIUS without having to use the universal password in Novell?
You need to send the password in plaintext to the RADIUS server from the connecting client, in the world of 802.1X this is typically done with wrapping PAP in EAP-TTLS[1]. It's what we had to do in the early days whilst migrating from a non-UP world to a UP world...now I just have to work out how to dispose of Novell but that's another battle. When you use PAP, you can just do a nasty bog standard LDAP bind and get FreeRADIUS to check that it succeeds and then work from there. Once you are UP'ed you can then enable the horrors of MSCHAP and let those horrible Jesus Phones connect and what not. Looking on the good side, no iPhones on your wireless network till you get there, so you might want to view this as a reason not to UP altogether ;) Cheers [1] which is better than PEAP anyway as you have the option to pre-config windows clients with a single EXE; if you choose to use SecureW2 -- Alexander Clouter .sigmonster says: Practice yourself what you preach. -- Titus Maccius Plautus
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Alexander Clouter -
Danner, Mearl -
Jason C Brown -
SDamron