Radius and Ldap Authentication problem
Hello all, I set a radius server for wifi authentication, I can log in wifi by username and password in radius server user file using mobile phone. Then, I need to use ldap server as the backend database for user authentication, I can use radtest on radius to connect with ldap server successfully. However I can not log in to wifi by the username and password stored in ldap server. As mschapv2 is not supported by ldap, so I use ttls as the default peap method. The ldap server will only give me the information about accept or reject, but it would not reply me with a password. If possible, can anyone tell me the authentication process between ldap server and radius server. All of the above are the problem what I encountered by now, can anyone help with this, this problem really drive crazy, Thanks. Best Regards Li
On 16 Jan 2014, at 11:24, 亚坤 李 <liyakun127@hotmail.com> wrote:
Hello all,
I set a radius server for wifi authentication, I can log in wifi by username and password in radius server user file using mobile phone. Then, I need to use ldap server as the backend database for user authentication, I can use radtest on radius to connect with ldap server successfully. However I can not log in to wifi by the username and password stored in ldap server.
As mschapv2 is not supported by ldap, so I use ttls as the default peap method. The ldap server will only give me the information about accept or reject, but it would not reply me with a password. If possible, can anyone tell me the authentication process between ldap server and radius server.
All of the above are the problem what I encountered by now, can anyone help with this, this problem really drive crazy, Thanks.
If you're using TTLS-PAP then you can use LDAP as an authentication module. It will use the plaintext password sent in the TLS tunnel to bind against the LDAP directory. If you're using OpenLDAP, or eDirectory or another LDAP server which supports retrieving credentials in the clear (i.e. not Active Directory) and actually have the passwords stored in cleartext (instead of a hash), they can be retrieved by binding as an LDAP user with sufficient privileges. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 16.01.2014 12:24, 亚坤 李 wrote:
As mschapv2 is not supported by ldap, so I use ttls as the default peap method.
Wrong, with ldap (except if you run Novell eDirectory), the only working solution is EAP-TTLS/PAP, where the password is sent in clear-text within the TLS tunnel and thus can be used to bind to the ldap server. Other solution would be to store the NT-Hash within your ldap directory, then mschapv2 would work.
All of the above are the problem what I encountered by now, can anyone help with this, this problem really drive crazy, Thanks.
The list already answered to your question and directed you to the following page : http://deployingradius.com/documents/protocols/compatibility.html If it's RED, it's impossible. So don't ask how it can work because it won't work. Ever. Olivier B. -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
Olivier Beytrison -
亚坤 李