Using encrypted passwords from LDAP
Dear all, first of all: The LDAP-Server doesn't contain a clear-text password. They are encrypted and this isn't allowed to change. The password field is "userPassword". I was testing my LDAP-Configuration in Freeradius with NTRadPing. If I make an authentication Request I get a response: Access_accept. I am happy that freeradius can speak to LDAP :-)) Now my problem is: The wireless client is configured to LEAP, I enter the same user and password as in NTRadPing Utility. But I don't get access. I don't understand what I have done wrong. Maybee the eap-module is not able to forward the bind to the LDAP-Server ? If i use LEAP and set the password_attribute to an cleartext field in ldap it works. I was setting as password_attribute the field to givenname and enter as passwort the givenname of user. If I use the LEAP mode on the client the login to WLAN works fine (by using cleartext) But I have to use the encrypted password in LDAP because of security reasons. What can I do ?
Steffen Langhammer wrote:
The LDAP-Server doesn't contain a clear-text password. They are encrypted and this isn't allowed to change.
hhttp://deployingradius.com/documents/protocols/compatibility.html
The password field is "userPassword".
I was testing my LDAP-Configuration in Freeradius with NTRadPing. If I make an authentication Request I get a response: Access_accept. I am happy that freeradius can speak to LDAP :-))
Now my problem is: The wireless client is configured to LEAP, I enter the same user and password as in NTRadPing Utility. But I don't get access.
Your requirements are impossible to satisfy.
I don't understand what I have done wrong. Maybee the eap-module is not able to forward the bind to the LDAP-Server ?
No. Read the page given by the URL above. What you want to do is impossible.
If i use LEAP and set the password_attribute to an cleartext field in ldap it works.
Exactly.
I was setting as password_attribute the field to givenname and enter as passwort the givenname of user.
If I use the LEAP mode on the client the login to WLAN works fine (by using cleartext) But I have to use the encrypted password in LDAP because of security reasons.
What can I do ?
Read the last section of that web page. Trying to do the impossible is an effort in futility. Change your requirements to something that is possible to do. My suggestion: don't do LEAP. It's insecure. Use another EAP method such as TTLS. Alan DeKok.
Hi Alan, its also possible to use PEAP-GTC (prefered). If I see this table it should be possible to use also encrypted passwords with EAP-GTC. But in this case I never get a working configuration. 2009/8/7 Alan DeKok <aland@deployingradius.com>
Steffen Langhammer wrote:
The LDAP-Server doesn't contain a clear-text password. They are encrypted and this isn't allowed to change.
hhttp://deployingradius.com/documents/protocols/compatibility.html
The password field is "userPassword".
I was testing my LDAP-Configuration in Freeradius with NTRadPing. If I make an authentication Request I get a response: Access_accept. I am happy that freeradius can speak to LDAP :-))
Now my problem is: The wireless client is configured to LEAP, I enter the same user and password as in NTRadPing Utility. But I don't get access.
Your requirements are impossible to satisfy.
I don't understand what I have done wrong. Maybee the eap-module is not able to forward the bind to the LDAP-Server ?
No. Read the page given by the URL above. What you want to do is impossible.
If i use LEAP and set the password_attribute to an cleartext field in ldap it works.
Exactly.
I was setting as password_attribute the field to givenname and enter as passwort the givenname of user.
If I use the LEAP mode on the client the login to WLAN works fine (by using cleartext) But I have to use the encrypted password in LDAP because of security reasons.
What can I do ?
Read the last section of that web page.
Trying to do the impossible is an effort in futility. Change your requirements to something that is possible to do.
My suggestion: don't do LEAP. It's insecure. Use another EAP method such as TTLS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Its a bad system and solution in this case. Because a cleartext-match isn't the same as a ldap-bind. I was checking Cisco ACS and there an option handles different LDAP Sources with encrypted fields. Maybee as idea... Steffen 2009/8/7 Alan DeKok <aland@deployingradius.com>
Steffen Langhammer wrote:
Hi Alan,
its also possible to use PEAP-GTC (prefered). If I see this table it should be possible to use also encrypted passwords with EAP-GTC.
But in this case I never get a working configuration.
Then see the FAQ for "it doesn't work"
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Steffen Langhammer wrote:
Its a bad system and solution in this case.
The only problem is the failure to understand limitations. I didn't say "FreeRADIUS couldn't do it". I said "it's impossible".
Because a cleartext-match isn't the same as a ldap-bind.
That isn't news.
I was checking Cisco ACS and there an option handles different LDAP Sources with encrypted fields.
For Access-Requests that contain CLEAR TEXT PASSWORDS. It does NOT DO THIS for Access-Requests that contain PEAP. FreeRADIUS can authenticate Access-Requests against crypt'd passwords in LDAP, when the Access-Requests contain a User-Password attribute. Why? Because the table I pointed you to shows that it's POSSIBLE. The red entries in the table show what is IMPOSSIBLE. The text on that page explains in great detail what your options are if you want to do the impossible. Now stop arguing. If you think that ACS can do PEAP authentication using crypt'd passwords in LDAP, then go buy ACS. Maybe their support department will convince you that it's impossible. If they don't, they won't care, because you'll have paid $5K for a piece of software that doesn't solve your problem. You'll then have to do *ANYWAYS* what I'm telling you: change your requirements. Alan DeKok.
participants (2)
-
Alan DeKok -
Steffen Langhammer