Re: FreeRADIUS + OpenLDAP + MSCHAPv2
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
See: http://deployingradius.com/documents/protocols/oracles.html Ken On Tue, Nov 18, 2008 at 01:29:48PM -0800, Tim Gustafson wrote:
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently).
However, upon reading the documentation in modules/ldap, I see this:
# However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK.
So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again?
Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim Gustafson wrote:
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently).
However, upon reading the documentation in modules/ldap, I see this: ... So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again?
A lot of the confusion here is terminology. People talk about pulling a password from a database and doing authentication in RADIUS as "authenticating against LDAP". This is technically *not* correct. In short, LDAP doesn't do MS-CHAPv2. You can't "do MS-CHAPv2 against an LDAP server". You CAN have FreeRADIUS read the clear-text password from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication. Thinking of it in this way is the *correct* way. It also has impacts on attitudes towards network design, requirements, etc. If you think of it as "doing MS-CHAPv2 against LDAP", it will be difficult to design a system based on how things really work... because the conceptual model underlying the design is wrong. Alan DeKok.
participants (3)
-
Alan DeKok -
Kenneth Marshall -
Tim Gustafson