Hello Everybody, I have two questions for my understanding. I set up FreeRADIUS to authenticate against our Active Directory. I read in the readme that this couldn´t be done with the ldap module, so I did it with SAMBA. It works fine for MSCHAPv2. But nowhere stands why it couldn't be done with the ldap module. Can anybody give a technical explanation? As I read the ldap module can only work with cleartext passwords and eap is encrypted. But why can't it work with. A technical explanation would be nice. As I wrote I setted FreeRADIUS up to work fine with the Active Directory. I configured the eap.conf to work with PEAP and MSCHAPv2. When I configured it in this way I don't need certificates? The certificates aren't checked by the clients or server aren't they? Do I need certificates when I use PEAP with MSCHAPv2 or I am doing something wrong? Best Regards Sebastian Heinrich Techn. DV Aluminium Oxid Stade GmbH Johann-Rathje-Köser-Straße 21683 Stade email S.Heinrich@aos-stade.de web http://www.aos-stade.de <http://www.aos-stade.de/> ________________________________ Rechtliche Hinweise Registergericht:Tostedt HRB 100017 Vorsitzender des Aufsichtsrates: Victor Phillip M. Dahdaleh Geschäftsführer: Helmuth Buhrfeindt, Eberhard Guhl Der Inhalt dieser E-Mail ist ausschliesslich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail unzulaessig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. The information contained in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately.
Hi,
I have two questions for my understanding. I set up FreeRADIUS to authenticate against our Active Directory. I read in the readme that this couldn´t be done with the ldap module, so I did it with SAMBA. It works fine for MSCHAPv2. But nowhere stands why it couldn’t be done with the ldap module. Can anybody give a technical explanation? As I read the ldap module can only work with cleartext passwords and eap is encrypted. But why can’t it work with. A technical explanation would be nice.
it depends what you want to do with the AP and ldap - you can use it to check groups membership etc.
As I wrote I setted FreeRADIUS up to work fine with the Active Directory. I configured the eap.conf to work with PEAP and MSCHAPv2. When I configured it in this way I don’t need certificates? The certificates aren’t checked by the clients or server aren’t they? Do I need certificates when I use PEAP with MSCHAPv2 or I am doing something wrong?
PEAP will show the client 2 certificates...the server certificate and the CA of that certificate (and intermediates if there are any). a basic freeradius install will have 2 snake-oil certs (local CA and server sined by that CA). it is up to you to ensure that clients are configured to check/verify the certificates. alan
On 29/03/12 13:24, Heinrich, Sebastian wrote:
Hello Everybody,
I have two questions for my understanding. I set up FreeRADIUS to authenticate against our Active Directory. I read in the readme that this couldn´t be done with the ldap module, so I did it with SAMBA. It works fine for MSCHAPv2. But nowhere stands why it couldn’t be done with the ldap module. Can anybody give a technical explanation? As I read the ldap module can only work with cleartext passwords and eap is encrypted. But why can’t it work with. A technical explanation would be nice.
Basically: MS-CHAP is a cryptographic, challenge-response protocol. To perform the correct crypto, you need the NT-Hash of the users password. If you have Active Directory, you can't extract this hash; it is stored in the domain controllers, and not visible over LDAP. Therefore, you have to use Samba/ntlm_auth to "send" the MS-CHAP to a domain controller, which does the crypto for you.
As I wrote I setted FreeRADIUS up to work fine with the Active Directory. I configured the eap.conf to work with PEAP and MSCHAPv2. When I configured it in this way I don’t need certificates? The certificates aren’t checked by the clients or server aren’t they? Do I need certificates when I use PEAP with MSCHAPv2 or I am doing something wrong?
You need a certificate at the server side. You should make sure your clients validate this certificate, otherwise an attacker can impersonate you and capture MS-CHAP packets, and perform cryptographic attacks. You don't need a certificate at the client side.
Hello Everybody, first of all thanks for the quick response. Especially thanks to Phil. The first question is completely answered. Now it is clear to me why I have to use SAMBA. The second question isn't answered so that I could understand it. I created the certificates as told in the readme in the subdirectory /etc/certs. When I use Windows XP and uncheck the checkbox "checking certificate" it works. So as I understand the certificate of the server isn't checked or am I wrong. It is only checked when using the checkbox. When I use the checkbox I get an access accept message in the debug modus of FreeRADIUS and short after it a reject message with the message that I have to read the certificate wiki on the page. Is the problem that the certificate I created isn't an official certificate? How can I solve it? Mit freundlichen Grüßen Sebastian Heinrich Techn. DV Aluminium Oxid Stade GmbH Johann-Rathje-Köser-Straße 21683 Stade email S.Heinrich@aos-stade.de web http://www.aos-stade.de
Hi,
The second question isn't answered so that I could understand it. I created the certificates as told in the readme in the subdirectory /etc/certs. When I use Windows XP and uncheck the checkbox "checking certificate" it works. So as I understand the certificate of the server isn't checked or am I wrong. It is only checked when using the checkbox. When I use the checkbox I get an access accept message in the debug modus of FreeRADIUS and short after it a reject message with the message that I have to read the certificate wiki on the page. Is the problem that the certificate I created isn't an official certificate? How can I solve it?
if the 'check certificate' isnt ticked, then no...your client wont be checking the certificate. to have a happy client when checking the cert, the 'check certificate' needs to be ticked, the CN from the certificate should be in the 'server name' field and the CA ticked in the list of CA's. if you dont see the CA of the RADIUS server in that list, then you need to install tha CA into the clients trusted root certificate store... copy the .der to the client click on it...then choose to select where to put it... (there are loads and loads of documents covering this scattered all over the internet.. some are newer than others...and so correct) alan
to have a happy client when checking the cert, the 'check certificate' needs to be ticked, the CN from the certificate should be in the 'server name' field and the CA ticked in the list of CA's. if you dont see the CA of the RADIUS server in that list, then you need to install tha CA into the clients trusted root certificate store... copy the .der to the client click on it...then choose to select where to put it...
(there are loads and loads of documents covering this scattered all over the internet.. some are newer than others...and so correct)
All in all you can say that if I use PEAP-EAP-MS-CHAPv2 I don't need to create certificates and put them in the FreeRADIUS Server. There is nothing checked if you don't check the checkbox 'check certificate'. Actually the existing certificates in the certs subdirectory could be deleted but the authentification would work? Best Regards Sebastian Heinrich Techn. DV Aluminium Oxid Stade GmbH Johann-Rathje-Köser-Straße 21683 Stade email S.Heinrich@aos-stade.de web http://www.aos-stade.de
On Fri, Mar 30, 2012 at 1:07 PM, Heinrich, Sebastian <S.Heinrich@aos-stade.de> wrote:
to have a happy client when checking the cert, the 'check certificate' needs to be ticked, the CN from the certificate should be in the 'server name' field and the CA ticked in the list of CA's. if you dont see the CA of the RADIUS server in that list, then you need to install tha CA into the clients trusted root certificate store... copy the .der to the client click on it...then choose to select where to put it...
(there are loads and loads of documents covering this scattered all over the internet.. some are newer than others...and so correct)
All in all you can say that if I use PEAP-EAP-MS-CHAPv2 I don't need to create certificates and put them in the FreeRADIUS Server.
No.
From wikipedia, "PEAP is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel."
TLS always need a certificate.
There is nothing checked if you don't check the checkbox 'check certificate'.
It doesn't CHECK for the certificate common name (CN) or certificate authority (CA), but it still uses the server certicate to create the TLS tunnel.
Actually the existing certificates in the certs subdirectory could be deleted but the authentification would work?
It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then you don't need certificates. -- Fajar
From wikipedia, "PEAP is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel."
TLS always need a certificate.
There is nothing checked if you don't check the checkbox 'check certificate'.
It doesn't CHECK for the certificate common name (CN) or certificate authority (CA), but it still uses the server certicate to create the TLS tunnel.
Actually the existing certificates in the certs subdirectory could be deleted but the authentification would work?
It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then you don't need certificates.
But it would work with the standard certificates given in the certs subdirectory. There is no security improveness by creating new certificates and using them for PEAP-EAP-MSCHAPv2 when you don't check them. Best Regards Sebastian Heinrich
On Fri, Mar 30, 2012 at 2:21 PM, Heinrich, Sebastian <S.Heinrich@aos-stade.de> wrote:
Actually the existing certificates in the certs subdirectory could be deleted but the authentification would work?
It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then you don't need certificates.
But it would work with the standard certificates given in the certs subdirectory. There is no security improveness by creating new certificates
Yes, there is. Once the TLS tunnel is established, the traffic inside it will be encrypted. Anyone sniffing traffic it the middle will be unable to decode it. So at minimum, it helps prevents user/password sniffing. The difference might not be obvious with PEAP-MSCHAPv2 vs plain MSCHAPv2, but it's VERY significant when comparing PAP vs TTLS-PAP or PEAP-GTC.
and using them for PEAP-EAP-MSCHAPv2 when you don't check them.
... and that's why the recommendation is to CHECK them, and to successfully do that you usually need to have every client import the CA used to sign the server certs. -- Fajar
Actually the existing certificates in the certs subdirectory could be deleted but the authentification would work?
It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then you don't need certificates.
But it would work with the standard certificates given in the certs subdirectory. There is no security improveness by creating new certificates
Yes, there is.
Once the TLS tunnel is established, the traffic inside it will be encrypted. Anyone sniffing traffic it the middle will be unable to decode it. So at minimum, it helps prevents user/password sniffing.
The difference might not be obvious with PEAP-MSCHAPv2 vs plain MSCHAPv2, but it's VERY significant when comparing PAP vs TTLS-PAP or PEAP-GTC.
and using them for PEAP-EAP-MSCHAPv2 when you don't check them.
... and that's why the recommendation is to CHECK them, and to successfully do that you usually need to have every client import the CA used to sign the server certs.
But a TLS tunnel can be established with the standard certificates given in the certs subdirectory. Creating new certificates is only a security improveness when checking them? Is there any security improveness of creating new certificates and don't checking them? Best Regards Sebastian Heinrich Techn. DV Aluminium Oxid Stade GmbH Johann-Rathje-Köser-Straße 21683 Stade email S.Heinrich@aos-stade.de web http://www.aos-stade.de
Heinrich, Sebastian wrote:
But a TLS tunnel can be established with the standard certificates given in the certs subdirectory. Creating new certificates is only a security improveness when checking them?
Yes.
Is there any security improveness of creating new certificates and don't checking them?
If you don't check the certs, then they don't exist, and they don't add security. Alan DeKok.
On Fri, Mar 30, 2012 at 2:46 PM, Heinrich, Sebastian <S.Heinrich@aos-stade.de> wrote:
Creating new certificates is only a security improveness when checking them?
No
Is there any security improveness of creating new certificates and don't checking them?
Yes. See what I wrote earlier. I gave you my answers. If you don't agree with it, feel free to do so. Others with more expertise in that field might add their comment later. Asking the same questions again, however, will only get you the same answer. -- Fajar
We don't want to install certificates on the clients, but the problem that is given in wikipedia is that anybody can install an access point with the same ssid and a client that would connect with it would give him his MSCHAP encrypted username and password. How easy is it to crack such a password? An authentification wouldn't have happened but the attacker would have had the encrypted usernames and passwords. That is a problem because in my configuration that usernames and passwords are used for the active directory. So is it only secure to connect to the AD when checking the certificates? Or is there another possibility to make it secure without installing certificates? Best Regards Sebastian Heinrich Techn. DV Aluminium Oxid Stade GmbH 21683 Stade email S.Heinrich@aos-stade.de web http://www.aos-stade.de
On Fri, Mar 30, 2012 at 4:18 PM, Heinrich, Sebastian <S.Heinrich@aos-stade.de> wrote:
We don't want to install certificates on the clients, but the problem that is given in wikipedia is that anybody can install an access point with the same ssid and a client that would connect with it would give him his MSCHAP encrypted username and password.
err ... no. It doesn't work that way.
How easy is it to crack such a password? An authentification wouldn't have happened but the attacker would have had the encrypted usernames and passwords.
They won't.
problem because in my configuration that usernames and passwords are used for the active directory. So is it only secure to connect to the AD when checking the certificates? Or is there another possibility to make it secure without installing certificates?
It depends on how "secure" you want it to be. MSCHAPv2, even without PEAP, is already more secure than PAP. Alan said If you don't check the certs, they don't add security. I highly respect his oppinion as a radius expert, however I still think that using certificates, even when you don't check them, adds some level of security, because it makes sniffing a little harder. There's no argument, however, that the best implementation would be to use your own root CA, AND install it on clients, AND configure the client to check certificate. Phil's mail here might give you more options and information: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg74875.h... -- Fajar
On 30/03/12 10:38, Fajar A. Nugraha wrote:
How easy is it to crack such a password? An authentification wouldn't have happened but the attacker would have had the encrypted usernames and passwords.
They won't.
Not immediately. But MSCHAP is a complex (and old) algorithm, and it is possible to perform a known-ciphertext attack. See e.g. http://code.google.com/p/mschapv2acc/ I'd wager this attack could be improved a lot by capturing multiple chal/resp pairs and doing clever stuff with them, but my crypto maths are very rusty by this point. The takeaway is that you should not be doing MSCHAP over an insecure channel, IMO.
On 30/03/12 10:18, Heinrich, Sebastian wrote:
We don't want to install certificates on the clients, but the problem that is given in wikipedia is that anybody can install an access point with the same ssid and a client that would connect with it would give him his MSCHAP encrypted username and password. How easy is it to crack
Correct.
such a password? An authentification wouldn't have happened but the
MSCHAP and even MSCHAPv2 are old specifications. They were created before the renaissance of modern crypto, and they are not, in my view, very good algorithms. I would not trust MSCHAP or MSCHAPv2 to be secure against a known-ciphertext attack.
attacker would have had the encrypted usernames and passwords. That is a problem because in my configuration that usernames and passwords are used for the active directory. So is it only secure to connect to the AD when checking the certificates? Or is there another possibility to make
Yes. It is only secure if you check the certificates.
it secure without installing certificates?
No.
Now I am totally confused. Fajar says that it is not so easy to crack the passwords and Phil says the opposite. I am not a hacker. Can anybody say that this would be easy to do or not: "A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated it is generally trivially easy (in wireless networks) to introduce a fake Access Point which allows gathering MS-CHAPv2 handshakes, which on recent hardware can be cracked in a matter of seconds." (source: http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol) Best Regards Sebastian Heinrich Techn. DV Aluminium Oxid Stade GmbH Johann-Rathje-Köser-Straße 21683 Stade email S.Heinrich@aos-stade.de web http://www.aos-stade.de
On 30/03/12 10:54, Heinrich, Sebastian wrote:
Now I am totally confused. Fajar says that it is not so easy to crack the passwords and Phil says the opposite. I am not a hacker. Can anybody say that this would be easy to do or not:
I didn't say it was easy. I said it was *possible*. And you're asking for something we can't provide. This isn't a paid support hotline; we're individuals, and we're allowed to have our own, differing, opinions. However: I'm sure everyone will agree with me when I say: YOU SHOULD CONFIGURE YOUR CLIENTS TO CHECK THE CERTIFICATE. I hope that is clear enough for you.
Hi,
We don't want to install certificates on the clients, but the problem
in that case, just get your RADIUS server signed by a CA that is already on the clients....something like Thawte, Verisign etc. ie spend some money. if you dont want to spend some money, use your own self-signed CA (closed-loop authentication) and use a client deployment tool to get the CA onto the systems (this is trivial with GPO in an activedirectory controlled domain). think of the RADIUS server cert like that for an online bank. when you go to an online bak web site, the HTTPS is via a known certificate that your client trusts....and DNS can be used to map the name requested to an IP address....and the name of the server matches your request and the certificate name matches the DNS entry. you can even use DNSSEC to ensure that the IP you got was handed out by the domain you wanted... all good. with RADIUS there is no layer 3 activity etc for the client...no DNS available etc.. so you can only take what you are given by the RADIUS server...and then match that to your local rules/settings - so, you verify the server cert, verify the CN you were given..and finally , verify the CA that sent that cert.
used for the active directory. So is it only secure to connect to the AD when checking the certificates? Or is there another possibility to make it secure without installing certificates?
you can connect to the AD when checking the cert or when not checking the cert. if you do the former, then you are secure... if you dont check the CA then why even bother with 802.1X or security at all - you are leaving your network wide open to attack and abuse... i'll set up a rogue AP and just harvest peoples credentials...which I'll them use to access all the bits I need (there are live CD distros with such tools ready to go using internal wireless card on a laptop). - of course, when I say I'll set up, thats hypothetical...i have better things to do ;-) alan
Hi,
All in all you can say that if I use PEAP-EAP-MS-CHAPv2 I don't need to create certificates and put them in the FreeRADIUS Server. There is nothing checked if you don't check the checkbox 'check certificate'. Actually the existing certificates in the certs subdirectory could be deleted but the authentification would work?
did I say that? when? answer, no I didnt say that - you will always need a CA and server file - try running EAP methods without one defined. it wont work. whether you actually CARE about security and the 802.1X method determines what you do. If you are not checking then why bother? why not just have an open SSID? it will be only slightly less secure. alan
participants (5)
-
Alan Buxey -
Alan DeKok -
Fajar A. Nugraha -
Heinrich, Sebastian -
Phil Mayers