I've got an OpenLDAP directory using the SMB-LDAP schema and tools. Also have a FreeRadius 1.x instance setup to support authentication of PPTP users on my m0n0wall machine. The system has worked fine for a few years. I'm now looking to setup WPA2-Enterprises WiFi access and am looking for direction. I see there are lots of protocol options but I'm not sure of the merits of one over another. I do not completely understand the implications of my LDAP directory on the decision either. What I'm really looking for at this point is foe someone to recommend the right approach for my installation. I'm looking to use WPA2-Enterprises and accounts stored in my existing LDAP directory. I need to support primarily WinXP wireless clients but I also need my Linux (Fedora) machines to work as well as a few smartphones (Blackberry, iPhone, etc). Thanks in advance for any direction. Paul
Paul Dugas wrote:
I need to support primarily WinXP wireless clients but I also need my Linux (Fedora) machines to work as well as a few smartphones (Blackberry, iPhone, etc).
Use PEAP. Ensure passwords are in a form compatible with PEAP: http://deployingradius.com/documents/protocols/compatibility.html Follow the EAP instructions on the web site for further details on how to get EAP to work. Alan DeKok.
On Mon, Aug 16, 2010 at 5:02 PM, Alan DeKok <aland@deployingradius.com> wrote:
Use PEAP. Ensure passwords are in a form compatible with PEAP:
My LDAP directory contains NT, LM, and SSHA passwords but not clear-text so, if I'm following correctly, I need to look into using ntlm_auth. The docs explain how to do this with an AD deployment. How do they differ if Samba is my PDC instead (no AD)? Should it still work? I've actually already gotten some of this working. Following the one-step-at-a-time advice, I've gotten PEAP working with PAP in the inner tunnel. The FR2 package is far simpler than when I originally set this up with FR1. Paul
Paul Dugas wrote:
On Mon, Aug 16, 2010 at 5:02 PM, Alan DeKok <aland@deployingradius.com> wrote:
Use PEAP. Ensure passwords are in a form compatible with PEAP:
My LDAP directory contains NT, LM, and SSHA passwords but not clear-text so, if I'm following correctly, I need to look into using ntlm_auth.
No. I have no idea why you concluded that. FreeRADIUS needs a password for authentication. That's it.
I've actually already gotten some of this working. Following the one-step-at-a-time advice, I've gotten PEAP working with PAP in the inner tunnel. The FR2 package is far simpler than when I originally set this up with FR1.
Yup. If you have the LDAP module listed in the "inner-tunnel", then you're well on your way to getting it all to work. Alan DeKok.
On Tue, Aug 17, 2010 at 2:44 AM, Alan DeKok <aland@deployingradius.com> wrote:
Paul Dugas wrote:
On Mon, Aug 16, 2010 at 5:02 PM, Alan DeKok <aland@deployingradius.com> wrote:
Use PEAP. Ensure passwords are in a form compatible with PEAP:
My LDAP directory contains NT, LM, and SSHA passwords but not clear-text so, if I'm following correctly, I need to look into using ntlm_auth.
No. I have no idea why you concluded that.
FreeRADIUS needs a password for authentication. That's it.
The settings in NetworkManager on my Fedora Linux laptop, when I choose WPA&WPA2-Enterprise and PEAP, allow MSCHAPv2 (default), MD5, and GTC for the inner authentication. I see on the protocol compatibility table you referenced that only clear-text and ntlm_auth are available under PEAP and EAP-MSCHAPv2. I do not have clear-text passwords in my LDAP directory so I concluded I needed to look into ntlm_auth. Where did I go wrong?
If you have the LDAP module listed in the "inner-tunnel", then you're well on your way to getting it all to work.
I found a posting that pointed me toward sites-available/default to enable ldap under authorize and the Auth-Type LDAP block under authenticate. Found another that suggested the same in sites-enabled/inner-tunnel. I've adjusted modules/ldap to connect with the correct privileges; I've not adjust ldap.attrmap. It didn't work after that though I'm not at the site today to get detailed logs to post. I will be tomorrow though. Paul -- Paul Dugas • Dugas Enterprises, LLC • Computer Engineer 522 Black Canyon Park, Canton GA 30114 USA • Paul@DugasEnterprises.com • +1.404.932.1355
Paul Dugas wrote:
The settings in NetworkManager on my Fedora Linux laptop, when I choose WPA&WPA2-Enterprise and PEAP, allow MSCHAPv2 (default), MD5, and GTC for the inner authentication. I see on the protocol compatibility table you referenced that only clear-text and ntlm_auth are available under PEAP and EAP-MSCHAPv2.
No. MS-CHAP is compatible with the "NT Hash" form, or "NT-Password". This same form is also used by ntlm_auth.
I do not have clear-text passwords in my LDAP directory so I concluded I needed to look into ntlm_auth.
Where did I go wrong?
You have mistaken a tool for a method. "ntlm_auth" is a tool which gets MS-CHAP to authentication to Active Directory. "NT hash" is a password hashing method. If you do not have clear-text or NT hashed passwords in your LDAP database, then *no* tool will magically make MS-CHAP work. The problem is the method used to store the password. The problem is *not* the tool used to retrieve the password. Alan DeKok.
On Tue, Aug 17, 2010 at 4:02 PM, Alan DeKok <aland@deployingradius.com> wrote:
If you do not have clear-text or NT hashed passwords in your LDAP database, then *no* tool will magically make MS-CHAP work. The problem is the method used to store the password. The problem is *not* the tool used to retrieve the password.
If I do have NT hashed passwords in LDAP, is PEAP with ntlm_auth the recommendation? Thanks for the guidance, Paul
Paul Dugas wrote:
On Tue, Aug 17, 2010 at 4:02 PM, Alan DeKok <aland@deployingradius.com> wrote:
If you do not have clear-text or NT hashed passwords in your LDAP database, then *no* tool will magically make MS-CHAP work. The problem is the method used to store the password. The problem is *not* the tool used to retrieve the password.
If I do have NT hashed passwords in LDAP, is PEAP with ntlm_auth the recommendation?
No. I suggest reading my messages again. It's clear you don't understand what ntlm_auth does. Alan DeKok.
On Tue, Aug 17, 2010 at 4:29 PM, Alan DeKok <aland@deployingradius.com> wrote:
I suggest reading my messages again. It's clear you don't understand what ntlm_auth does.
Sorry if I've offended you. Are you saying that I should be able to enable ldap in inner-tunnel and it should be able to identify and use the NT or SSHA hashed password? Paul -- Paul Dugas • Dugas Enterprises, LLC • Computer Engineer 522 Black Canyon Park, Canton GA 30114 USA • Paul@DugasEnterprises.com • +1.404.932.1355
On 08/17/2010 05:31 PM, Paul Dugas wrote:
On Tue, Aug 17, 2010 at 4:29 PM, Alan DeKok<aland@deployingradius.com> wrote:
I suggest reading my messages again. It's clear you don't understand what ntlm_auth does.
Sorry if I've offended you.
Are you saying that I should be able to enable ldap in inner-tunnel and it should be able to identify and use the NT or SSHA hashed password?
Yes, that is what Alan is saying. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 08/17/2010 09:20 PM, Paul Dugas wrote:
On Tue, Aug 17, 2010 at 4:02 PM, Alan DeKok<aland@deployingradius.com> wrote:
If you do not have clear-text or NT hashed passwords in your LDAP database, then *no* tool will magically make MS-CHAP work. The problem is the method used to store the password. The problem is *not* the tool used to retrieve the password.
If I do have NT hashed passwords in LDAP, is PEAP with ntlm_auth the recommendation?
No. MS-CHAP requires access to the NT hash to execute the challenge/response. This means you have 3 options: 1. Use a datastore containing the NT hash directly. In your case, let the "ldap" module fetch the users NT hash, then the "mschap" module perform challenge/response. 2. Use a datastore containing the cleartext password. Fetch the cleartext password, generate the NT hash, proceed as above NOTE: options 1 & 2 would *not* work if your LDAP server were active directory, since AD doesn't permit access to the passwords or hashes. 3. Hand off the challenge/response to a 3rd party who *does* have access to one of the above. This is typically done by a) installing Samba b) joining a windows domain/active directory and c) using the ntlm_auth helper to pass the challenge/response request to a domain controller. In your case, provided you are using the default configurations, the ldap module will fetch the NT hash, and mschap will do the authentication. The "ntlm_auth" helper is not applicable; it's only used on a samba domain member to pass requests to the domain controller(s).
participants (4)
-
Alan DeKok -
John Dennis -
Paul Dugas -
Phil Mayers