Hi, We're looking into using PEAP with MSChapV2, instead of PAP (don't want to use the SecureW2 client anymore) so are investigating ways to store the password in LDAP. According to http://deployingradius.com/documents/protocols/compatibility.html ,the options are storing the password in Clear-Text or in an NT Hash (ntlm_auth). In talking with our LDAP people, I was told the following: SunOne does not support nt-hash passwords. Supported formats are CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA. Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and SSHA512. It sounds to me like if we want to do PEAP/MSChapV2 we'd have to store the password in cleartext? I would just like to verify this via this list. Any advice is appreciated. Thanks Matt mda@unb.ca
Matt Ashfield a écrit :
Hi,
We’re looking into using PEAP with MSChapV2, instead of PAP (don’t want to use the SecureW2 client anymore) so are investigating ways to store the password in LDAP.
According to http://deployingradius.com/documents/protocols/compatibility.html ,the options are storing the password in Clear-Text or in an NT Hash (ntlm_auth).
In talking with our LDAP people, I was told the following:
SunOne does not support nt-hash passwords. Supported formats are CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.
Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and SSHA512.
This means that your userPassword attribute must contain your password in the previously mentionned has forms. This userPassword attribute is used internally by your LDAP directory in order to authenticate your access (bind) to the LDAP server.
It sounds to me like if we want to do PEAP/MSChapV2 we’d have to store the password in cleartext? I would just like to verify this via this list.
Not necessarily. You may _not_ want to use ldap binding as the authentication process, but only use your LDAP directory as a database backend in which FR will read a given ldap attribute (different from 'userPassword') and maps it to the NT-Hash version of the user password. In other words (setup for FR1.7): * in your LDAP directory entries add a new attribute (that will hold the NT-Hash version of the user password) * update the configuration file ldap.attrmap so that the new ldap attribute maps to the radius NT-Password attribute * setup your rlm_ldap module and use it in the authorize section (NOT the authenticate section) * don't forget to use the mschap module in your authorize section (after the ldap one) so that the MS-CHAP Authentication will see the encrypted user password and sets Auth-Type accordingly Hope this helps, Thibault
Any advice is appreciated.
Thanks
Matt
mda@unb.ca
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HI, Im now trying your suggestions for getting FR and PEAP working together. Below is the result of a radtest that I did. The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format? It looks to me like I have something wrong with my authenticate section. My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } } The radtest result is below: rad_recv: Access-Request packet from host 127.0.0.1 port 32769, id=97, length=55 User-Name = "mda" User-Password = "abc123" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Tue Jun 10 10:07:34 2008 : Debug: +- entering group authorize Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[preprocess] returns ok Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[chap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[mschap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No '@' in User-Name = "mda", looking up realm NULL Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No such realm "NULL" Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[suffix] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[eap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[files] returns noop Tue Jun 10 10:07:34 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue Jun 10 10:07:34 2008 : Debug: auth: Failed to validate the user. Tue Jun 10 10:07:34 2008 : Auth: Login incorrect: [mda] (from client localhost port 0) Tue Jun 10 10:07:34 2008 : Debug: Delaying reject of request 0 for 1 seconds Tue Jun 10 10:07:34 2008 : Debug: Going to the next request Tue Jun 10 10:07:34 2008 : Debug: Waking up in 0.9 seconds. Tue Jun 10 10:07:35 2008 : Debug: Sending delayed reject for request 0 Sending Access-Reject of id 97 to 127.0.0.1 port 32769 Tue Jun 10 10:07:35 2008 : Debug: Waking up in 4.9 seconds. Tue Jun 10 10:07:40 2008 : Debug: Cleaning up request 0 ID 97 with timestamp +17 Tue Jun 10 10:07:40 2008 : Debug: Ready to process requests. Any assistance is appreciated. Thanks Matt mda@unb.ca -----Original Message----- From: Thibault Le Meur [mailto:Thibault.LeMeur@supelec.fr] Sent: Monday, May 26, 2008 11:00 AM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: FR and PEAP question Matt Ashfield a écrit :
Hi,
Were looking into using PEAP with MSChapV2, instead of PAP (dont want to use the SecureW2 client anymore) so are investigating ways to store the password in LDAP.
According to http://deployingradius.com/documents/protocols/compatibility.html ,the options are storing the password in Clear-Text or in an NT Hash (ntlm_auth).
In talking with our LDAP people, I was told the following:
SunOne does not support nt-hash passwords. Supported formats are CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.
Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and SSHA512.
This means that your userPassword attribute must contain your password in the previously mentionned has forms. This userPassword attribute is used internally by your LDAP directory in order to authenticate your access (bind) to the LDAP server.
It sounds to me like if we want to do PEAP/MSChapV2 wed have to store the password in cleartext? I would just like to verify this via this list.
Not necessarily. You may _not_ want to use ldap binding as the authentication process, but only use your LDAP directory as a database backend in which FR will read a given ldap attribute (different from 'userPassword') and maps it to the NT-Hash version of the user password. In other words (setup for FR1.7): * in your LDAP directory entries add a new attribute (that will hold the NT-Hash version of the user password) * update the configuration file ldap.attrmap so that the new ldap attribute maps to the radius NT-Password attribute * setup your rlm_ldap module and use it in the authorize section (NOT the authenticate section) * don't forget to use the mschap module in your authorize section (after the ldap one) so that the MS-CHAP Authentication will see the encrypted user password and sets Auth-Type accordingly Hope this helps, Thibault
Any advice is appreciated.
Thanks
Matt
mda@unb.ca
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } }
Not really. You just haven't called that Autz-Type anywhere. Ivan Kalik Kalik Informatika ISP
I thought it would get referenced because in my users file I have: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group == staff, Autz-Type := Ldap1 User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=staff, Tunnel-Type=VLAN, Fall-Through = no And in huntgroups I have this. Although I am unsure if this is correct. UNBFWSS NAS-IP-Address == 127.0.0.1 Matt mda@unb.ca -----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 10:36 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } }
Not really. You just haven't called that Autz-Type anywhere. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You can't test for it with pap requests (radtest). Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I thought it would get referenced because in my users file I have:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group == staff, Autz-Type := Ldap1 User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=staff, Tunnel-Type=VLAN, Fall-Through = no
And in huntgroups I have this. Although I am unsure if this is correct. UNBFWSS NAS-IP-Address == 127.0.0.1
Matt mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 10:36 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } }
Not really. You just haven't called that Autz-Type anywhere.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a howto? Clearly I'm down the wrong path here. Matt mda@unb.ca -----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:02 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You can't test for it with pap requests (radtest). Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I thought it would get referenced because in my users file I have:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group == staff, Autz-Type := Ldap1 User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=staff, Tunnel-Type=VLAN, Fall-Through = no
And in huntgroups I have this. Although I am unsure if this is correct. UNBFWSS NAS-IP-Address == 127.0.0.1
Matt mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 10:36 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } }
Not really. You just haven't called that Autz-Type anywhere.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matt Ashfield wrote:
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a howto? Clearly I'm down the wrong path here.
I'm in the process of writing some howto's for my deployingradius.com web page. But $$ work comes first. In short: - start with default config (as always) - use eapol_test (from wpa_supplicant) for PEAP testing - see src/tests/peap-mschapv2.conf for eapol_test configuration - supply a Cleartext-Password to the server - use virtual servers to simplify your policy. - in 2.0, try to avoid Autz-Type. It's no longer necessary. Alan DeKok.
eapol_test from wpa_supplicant JRadius Simulator Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a howto? Clearly I'm down the wrong path here.
Matt mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:02 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You can't test for it with pap requests (radtest).
Ivan Kalik Kalik Informatika ISP
Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I thought it would get referenced because in my users file I have:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group == staff, Autz-Type := Ldap1 User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=staff, Tunnel-Type=VLAN, Fall-Through = no
And in huntgroups I have this. Although I am unsure if this is correct. UNBFWSS NAS-IP-Address == 127.0.0.1
Matt mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 10:36 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } }
Not really. You just haven't called that Autz-Type anywhere.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi I’m still trying to get this working. I’m using an XP machine plugged into an edge switch acting as a NAS. I’m using the PEAP/MSCHAP in XP to authenticate against an LDAP directory. In that directory, we have created an attribute called ntPasssword which I have populated with the word ‘password’ (create, I know!). Below is what I get when I run in debug mode. In ldap.attrmap I have the line: checkItem NT-Password ntPassword in radiusd.conf in my ldap declaration, I have: password_attribute = ntPassword I can’t quite figure out what’s going on below. Looks to me like the passwords are not matching. Any advice is appreciated. Thanks rad_recv: Access-Request packet from host 11.2.19.3 port 2048, id=3, length=102 NAS-IP-Address = 11.2.19.3 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0xfbe3f8eb4dd656189f641a6aef2a8e59 NAS-Port = 2 Framed-MTU = 1490 User-Name = "mda" Calling-Station-Id = "00-11-25-81-1D-DA" EAP-Message = 0x02030008016d6461 Wed Jun 11 09:42:02 2008 : Debug: +- entering group authorize Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[preprocess] returns ok Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Wed Jun 11 09:42:02 2008 : Debug: rlm_realm: No '@' in User-Name = "mda", looking up realm NULL Wed Jun 11 09:42:02 2008 : Debug: rlm_realm: No such realm "NULL" Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[suffix] returns noop Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling unbldap (rlm_ldap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: - authorize Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: performing user authorization for mda Wed Jun 11 09:42:02 2008 : Debug: WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Wed Jun 11 09:42:02 2008 : Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=mda) Wed Jun 11 09:42:02 2008 : Debug: expand: ou=people,dc=unb,dc=ca -> ou=people,dc=unb,dc=ca Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: performing search in ou=people,dc=unb,dc=ca, with filter (uid=mda) Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: Added User-Password = å,¬gA??"J;???¦Ëm in check items Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for check items in directory... Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0xe52cac67419a9a224a3b108f3fa6cb6d Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for reply items in directory... Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: user mda authorized to use remote access Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from unbldap (rlm_ldap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[unbldap] returns ok Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[mschap] returns noop Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[mschap] returns noop Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[files] returns noop Wed Jun 11 09:42:02 2008 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jun 11 09:42:02 2008 : Debug: !!! Replacing User-Password in config items with Cleartext-Password. !!! Wed Jun 11 09:42:02 2008 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jun 11 09:42:02 2008 : Debug: !!! Please update your configuration so that the "known good" !!! Wed Jun 11 09:42:02 2008 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Wed Jun 11 09:42:02 2008 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jun 11 09:42:02 2008 : Debug: auth: type Local Wed Jun 11 09:42:02 2008 : Debug: auth: No User-Password or CHAP-Password attribute in the request Wed Jun 11 09:42:02 2008 : Debug: auth: Failed to validate the user. Wed Jun 11 09:42:02 2008 : Auth: Login incorrect: [mda] (from client hh932 port 2 cli 00-11-25-81-1D-DA) Wed Jun 11 09:42:02 2008 : Debug: Delaying reject of request 1 for 1 seconds Wed Jun 11 09:42:02 2008 : Debug: Going to the next request Wed Jun 11 09:42:02 2008 : Debug: Waking up in 0.9 seconds. Wed Jun 11 09:42:03 2008 : Debug: Sending delayed reject for request 1 Sending Access-Reject of id 3 to 11.2.19.3 port 2048 Wed Jun 11 09:42:03 2008 : Debug: Waking up in 4.9 seconds. Wed Jun 11 09:42:08 2008 : Debug: Cleaning up request 1 ID 3 with timestamp +355 Wed Jun 11 09:42:08 2008 : Debug: Ready to process requests. Matt mda@unb.ca -----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:21 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question eapol_test from wpa_supplicant JRadius Simulator Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a howto? Clearly I'm down the wrong path here.
Matt mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:02 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You can't test for it with pap requests (radtest).
Ivan Kalik Kalik Informatika ISP
Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I thought it would get referenced because in my users file I have:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group == staff, Autz-Type := Ldap1 User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=staff, Tunnel-Type=VLAN, Fall-Through = no
And in huntgroups I have this. Although I am unsure if this is correct. UNBFWSS NAS-IP-Address == 127.0.0.1
Matt mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 10:36 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } }
Not really. You just haven't called that Autz-Type anywhere.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am 11.06.2008 um 14:48 schrieb Matt Ashfield:
Hi
I’m still trying to get this working. I’m using an XP machine plugged into an edge switch acting as a NAS. I’m using the PEAP/ MSCHAP in XP to authenticate against an LDAP directory. In that directory, we have created an attribute called ntPasssword which I have populated with the word ‘password’ (create, I know!). Below is what I get when I run in debug mode.
You have coded "Password" in UTF-16LE and applied the MD4 hash on it, before putting it in "ntPassword", haven't you? Have a nice day!
In ldap.attrmap I have the line:
checkItem NT-Password ntPassword
in radiusd.conf in my ldap declaration, I have:
password_attribute = ntPassword
I can’t quite figure out what’s going on below. Looks to me like the passwords are not matching. Any advice is appreciated.
Thanks
[...]
Matt
mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:21 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
eapol_test from wpa_supplicant
JRadius Simulator
Ivan Kalik
Kalik Informatika ISP
Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a
howto? Clearly I'm down the wrong path here.
Matt
mda@unb.ca
-----Original Message-----
From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org
[mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf
Of Ivan Kalik
Sent: Tuesday, June 10, 2008 11:02 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: FR and PEAP question
FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You
can't test for it with pap requests (radtest).
Ivan Kalik
Kalik Informatika ISP
Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I thought it would get referenced because in my users file I have:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS,
unbldap-Ldap-Group == staff, Autz-Type := Ldap1
User-Name=`%{User-Name}`,
Tunnel-Private-Group-Id=staff,
Tunnel-Type=VLAN,
Fall-Through = no
And in huntgroups I have this. Although I am unsure if this is correct.
UNBFWSS NAS-IP-Address == 127.0.0.1
Matt
mda@unb.ca
-----Original Message-----
From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org
[mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf
Of Ivan Kalik
Sent: Tuesday, June 10, 2008 10:36 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: FR and PEAP question
The password that is being supplied by radtest is in plain-text, should I
be
supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like:
authorize {
preprocess
chap
mschap
suffix
eap
Autz-Type Ldap1 {
redundant-load-balance{
unbldap
unbldap2
}
mschap
}
}
Not really. You just haven't called that Autz-Type anywhere.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
-
List info/subscribe/unsubscribe? See
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
In ldap.attrmap I have the line: checkItem NT-Password ntPassword
in radiusd.conf in my ldap declaration, I have: password_attribute = ntPassword
And that would work if you were using pap module. But you are using mschap. That one looks for cleartext password first. If it doesn't find it tries nt stuff. And you have an encrypted User-Password here. Delete that ...
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: Added User-Password = ĂĽ,ÂŹgA??"J;???ÂŚĂm in check items
.. and server will use this one:
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for check items in directory... Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0xe52cac67419a9a224a3b108f3fa6cb6d
And you won't see any of this:
Wed Jun 11 09:42:02 2008 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jun 11 09:42:02 2008 : Debug: !!! Replacing User-Password in config items with Cleartext-Password. !!! Wed Jun 11 09:42:02 2008 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jun 11 09:42:02 2008 : Debug: !!! Please update your configuration so that the "known good" !!! Wed Jun 11 09:42:02 2008 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Wed Jun 11 09:42:02 2008 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jun 11 09:42:02 2008 : Debug: auth: type Local
On top of that - what happened to the eap module? It should be called before files. You haven't commented that out by any chance? Ivan Kalik Kalik Informatika ISP
Am 26.05.2008 um 15:41 schrieb Matt Ashfield:
Hi,
We’re looking into using PEAP with MSChapV2, instead of PAP (don’t want to use the SecureW2 client anymore) so are investigating ways to store the password in LDAP.
According to http://deployingradius.com/documents/protocols/ compatibility.html ,the options are storing the password in Clear- Text or in an NT Hash (ntlm_auth).
In talking with our LDAP people, I was told the following:
SunOne does not support nt-hash passwords. Supported formats are CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.
Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, NS- MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and SSHA512.
It sounds to me like if we want to do PEAP/MSChapV2 we’d have to store the password in cleartext? I would just like to verify this via this list.
Yes, not any of the formats is NT Hash. (NT Hash is the MD4 hash of the UTF-16LE encoding of the password.)
Any advice is appreciated.
Thanks
Have a nice day!
Matt
mda@unb.ca
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Am 26.05.2008 um 16:00 schrieb Nicolas Goutte:
Am 26.05.2008 um 15:41 schrieb Matt Ashfield:
Hi,
We’re looking into using PEAP with MSChapV2, instead of PAP (don’t want to use the SecureW2 client anymore) so are investigating ways to store the password in LDAP.
According to http://deployingradius.com/documents/protocols/ compatibility.html ,the options are storing the password in Clear- Text or in an NT Hash (ntlm_auth).
In talking with our LDAP people, I was told the following:
SunOne does not support nt-hash passwords. Supported formats are CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.
Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, NS- MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and SSHA512.
It sounds to me like if we want to do PEAP/MSChapV2 we’d have to store the password in cleartext? I would just like to verify this via this list.
Yes, not any of the formats is NT Hash.
(NT Hash is the MD4 hash of the UTF-16LE encoding of the password.)
I have forgotten: as NT-Hash under Linux is "handled" by Samba, you should check in that direction too, e.g. smbpasswd.
Any advice is appreciated.
Thanks
Have a nice day!
Matt
mda@unb.ca
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
participants (5)
-
Alan DeKok -
Ivan Kalik -
Matt Ashfield -
Nicolas Goutte -
Thibault Le Meur