Hi Source data: OpenLDAP FreeRADIUS Version 3.0.21 I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.
On 03.08.20 15:04, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.
Please read http://deployingradius.com/documents/protocols/compatibility.html first to see if the way the password is stored in OpenLDAP is compatible with MS-CHAP. (Odds are, it isn't.) Grüße, Sven.
It turns out that the vpn client macos only works with Active Directory ? So Apple depends on Windows ? This is vendor lock )
3 авг. 2020 г., в 16:24, Sven Hartge <sven@svenhartge.de> написал(а):
On 03.08.20 15:04, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.
Please read http://deployingradius.com/documents/protocols/compatibility.html first to see if the way the password is stored in OpenLDAP is compatible with MS-CHAP.
(Odds are, it isn't.)
Grüße, Sven. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 3, 2020, at 9:29 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
It turns out that the vpn client macos only works with Active Directory ? So Apple depends on Windows ?
No. It works with everything. The issue is HOW the password is stored. Not WHERE it is stored. Alan DeKok
Top posting. I don't use/involve freeradius for VPN on the Mac, but I certainly use MSChapv2 {with L2TP]. The native L2TP client on the Mac DOES NOT require Active Directory. I suspect you have some other problem. !vFU> It turns out that the vpn client macos only works with Active !vFU> Directory ? So Apple depends on Windows ? This is vendor lock )
3 авг. 2020 г., в 16:24, Sven Hartge <sven@svenhartge.de> написал(а):
On 03.08.20 15:04, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.
Please read http://deployingradius.com/documents/protocols/compatibility.html first to see if the way the password is stored in OpenLDAP is compatible with MS-CHAP.
(Odds are, it isn't.)
Thanks. Maybe I need to configure the MSCHAP freeradius module for OpenLDAP authentication. I haven't figured out how yet ) The ldap module is configured correctly 3 авг. 2020 г., в 16:42, Gregory Sloop <gregs@sloop.net<mailto:gregs@sloop.net>> написал(а): Top posting. I don't use/involve freeradius for VPN on the Mac, but I certainly use MSChapv2 {with L2TP]. The native L2TP client on the Mac DOES NOT require Active Directory. I suspect you have some other problem. ??!vFU> It turns out that the vpn client macos only works with Active ??!vFU> Directory ? So Apple depends on Windows ? This is vendor lock )
3 авг. 2020 г., в 16:24, Sven Hartge <sven@svenhartge.de<mailto:sven@svenhartge.de>> написал(а):
On 03.08.20 15:04, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.
Please read http://deployingradius.com/documents/protocols/compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html> first to see if the way the password is stored in OpenLDAP is compatible with MS-CHAP.
(Odds are, it isn't.)
I you recommend to use kerberos (or ntlm) and ldap only for the group memberships, But i cant speak for you so i suggest, read the links below, use what you need. http://deployingradius.com/documents/configuration/active_directory.html or https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Di... And/or ! Note, the setting shown in the 2 above links need still to be applied in the one below. https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD Greetz, Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens ?????????????? ???????????????? ?????????????????? via Freeradius-Users Verzonden: maandag 3 augustus 2020 15:49 Aan: FreeRadius users mailing list CC: ?????????????? ???????????????? ?????????????????? Onderwerp: Re: MSCHAPV2 + OpenLDAP
Thanks. Maybe I need to configure the MSCHAP freeradius module for OpenLDAP authentication. I haven't figured out how yet ) The ldap module is configured correctly
3 ??????. 2020 ??., ?? 16:42, Gregory Sloop <gregs@sloop.net<mailto:gregs@sloop.net>> ??????????????(??):
Top posting. I don't use/involve freeradius for VPN on the Mac, but I certainly use MSChapv2 {with L2TP]. The native L2TP client on the Mac DOES NOT require Active Directory.
I suspect you have some other problem.
??!vFU> It turns out that the vpn client macos only works with Active ??!vFU> Directory ? So Apple depends on Windows ? This is vendor lock )
3 ??????. 2020 ??., ?? 16:24, Sven Hartge <sven@svenhartge.de<mailto:sven@svenhartge.de>> ??????????????(??):
On 03.08.20 15:04, ?????????????? ???????????????? ?????????????????? via Freeradius-Users wrote:
I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.
Please read
http://deployingradius.com/documents/protocols/compatibility.h tml<http://deployingradius.com/documents/protocols/compatibili ty.html> first
to see if the way the password is stored in OpenLDAP is compatible with MS-CHAP.
(Odds are, it isn't.)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm sorry, but the links refer to Active Directory and samba dc . I just don't have Active Directory. I only have OpenLDAP. I'll keep thinking about solving this problem 3 авг. 2020 г., в 17:30, L.P.H. van Belle via Freeradius-Users <freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> написал(а): I you recommend to use kerberos (or ntlm) and ldap only for the group memberships,
So you have seen the examples for ldap then ;-) Great, Good luck.
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens ?????????????? ???????????????? ?????????????????? > via Freeradius-Users Verzonden: maandag 3 augustus 2020 16:48 Aan: FreeRadius users mailing list CC: ?????????????? ???????????????? ?????????????????? Onderwerp: Re: MSCHAPV2 + OpenLDAP
I'm sorry, but the links refer to Active Directory and samba dc . I just don't have Active Directory. I only have OpenLDAP.
I'll keep thinking about solving this problem
3 ??????. 2020 ??., ?? 17:30, L.P.H. van Belle via Freeradius-Users <freeradius-users@lists.freeradius.org<mailto:freeradius-users @lists.freeradius.org>> ??????????????(??):
I you recommend to use kerberos (or ntlm) and ldap only for the group memberships,
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 03.08.20 16:48, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
I'm sorry, but the links refer to Active Directory and samba dc . I just don't have Active Directory. I only have OpenLDAP.
I'll keep thinking about solving this problem
The solution is very simple: If you only have the hashed password of a user in LDAP, then you can't use MSCHAP. You need to have the clear or NTHASH password for that. This is exactly what the documentation tells you.
cleartext is not suitable. Is there an instruction for enabling nthash in openldap ?
3 авг. 2020 г., в 18:06, Sven Hartge <sven@svenhartge.de> написал(а):
On 03.08.20 16:48, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
I'm sorry, but the links refer to Active Directory and samba dc . I just don't have Active Directory. I only have OpenLDAP.
I'll keep thinking about solving this problem
The solution is very simple: If you only have the hashed password of a user in LDAP, then you can't use MSCHAP.
You need to have the clear or NTHASH password for that.
This is exactly what the documentation tells you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am 03.08.20 um 20:04 schrieb Клеусов Владимир Сергеевич via Freeradius-Users:
cleartext is not suitable. sure, and not needed either. Is there an instruction for enabling nthash in openldap ? In principle, yes -- but be careful. The ancient NTLM Hash is pretty close to cleartext in 2020, so make sure nobody steals the hash.
1. Create an attribute conataining NTLMHash in your OpenLDAP schema, named e.g. MyNTPassword 2. Store your NT-hashed passwords there 3. In mods-available/ldap, there's already a well-prepared config line for you in the update{} section starting with control:NT-Password. On the right hand's side of this assignment, adjust the LDAP attribute Name e.g. to MyNTPassword an uncomment the line The result looks similar to: ldap { [...] update { control:NT-Password := 'MyNTPassword' [...] } [...] } FR will pull the NTLM Hash from LDAP and perform the server side of the MS-CHAP authentication itself, no Windows server needed. HTH, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
Thanks. I don't quite understand.
2. Store your NT-hashed passwords there How do I do this ?
10 авг. 2020 г., в 20:10, Martin Pauly <pauly@hrz.uni-marburg.de> написал(а):
Am 03.08.20 um 20:04 schrieb Клеусов Владимир Сергеевич via Freeradius-Users:
cleartext is not suitable. sure, and not needed either. Is there an instruction for enabling nthash in openldap ? In principle, yes -- but be careful. The ancient NTLM Hash is pretty close to cleartext in 2020, so make sure nobody steals the hash.
1. Create an attribute conataining NTLMHash in your OpenLDAP schema, named e.g. MyNTPassword 2. Store your NT-hashed passwords there 3. In mods-available/ldap, there's already a well-prepared config line for you in the update{} section starting with control:NT-Password. On the right hand's side of this assignment, adjust the LDAP attribute Name e.g. to MyNTPassword an uncomment the line
The result looks similar to:
ldap { [...] update { control:NT-Password := 'MyNTPassword' [...] } [...] }
FR will pull the NTLM Hash from LDAP and perform the server side of the MS-CHAP authentication itself, no Windows server needed.
HTH, Martin
-- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am 11.08.20 um 10:31 schrieb Клеусов Владимир Сергеевич via Freeradius-Users:
2. Store your NT-hashed passwords there How do I do this ?
e.g. like this author recommends: https://blog.atucom.net/2012/10/generate-ntlm-hashes-via-command-line.html But you will need cleartext at some point. Actually, I see little use in emplyoing a VPN solution that _only_ does MS-CHAPv2. As you can see, you would need to convert all your passwords from _cleartext_. IMO, you would be better off with a VPN solution that queries LDAP directly or via RADIUS, but without fancy protocol diversions. Greetings, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (7)
-
Alan DeKok -
Gregory Sloop -
L.P.H. van Belle -
Martin Pauly -
Sven Hartge -
Клеусов Владимир Сергее вич -
Клеусов Владимир Сергеевич