Using existing NTLM hashes
Hi all, I just set up a Freeradius server (3.0 on Ubuntu 16.04). I want to use an OpenLDAP server (that has a UserPassword field with an NTLM hash and a prefix that is "{ntlm}", so a password looks like "{NTLM}0CB6948805F797BF2A82807973B89537". Now I would like Freeradius to strip the "{NTLM}" part, and then authenticate using that hash. Amongst server connection settings, I also added this to the ldap module configuration: password_header = "{ntlm}" #control:Password-With-Header += 'userPassword' control:NT-Password := 'UserPassword' I still get this when testing with an android device: Thu Sep 21 08:59:02 2017 : WARNING: (7) mschap: NT-Password found but incorrect length, expected 16 bytes got 38 bytes. Authentication may fail Thu Sep 21 08:59:02 2017 : WARNING: (7) mschap: No Cleartext-Password configured. Cannot create NT-Password Thu Sep 21 08:59:02 2017 : WARNING: (7) mschap: No Cleartext-Password configured. Cannot create LM-Password Thu Sep 21 08:59:02 2017 : Debug: (7) mschap: Creating challenge hash with username: MyUserName Thu Sep 21 08:59:02 2017 : Debug: (7) mschap: Client is using MS-CHAPv2 Thu Sep 21 08:59:02 2017 : ERROR: (7) mschap: FAILED: No NT/LM-Password. Cannot perform authentication Thu Sep 21 08:59:02 2017 : ERROR: (7) mschap: MS-CHAP2-Response is incorrect Do you guys have any tips for me on how to resolve this? Sorry if I left out any valuable info. Thanks, Maarten
hi,
password_header = "{ntlm}"
is that in the docs? you cant just make up headers IIRC - they are meant to match known things, its not a user configurable field. so, fix would be to strip that off the return value from LDAP, or to search/replace it with {nt} or {nthash} PS you dont need to deal with rel clients and wifi etc etc when doing this, jus use command line with eapol_test - so much easier! alan
rlm_ldap no longer strips off password headers (as it did in v2). {ntlm} is not a supported header. It doesn't to any kind of hashing scheme, you need to use nt or nthash. You can use rlm_pap to do password normification only, by listing it after ldap, but before mschap/eap in the authorize section of the inner tunnel server, then removing any references to the pap module in the authenticate section of the inner tunnel server. rlm_pap will process any Password-With-Header attributes, converting them into the correct attribute and adding them to the control list. We should probably move this out into a separate module in v4, but that's the way it's done for v3. -Arran
Hi all, Thanks Arran and Alan for your responses. I'll see if I can get Freeradius to bind to LDAP as the user that is authenticating, and depending on the result, succesfully auithenticate the user. Thanks, Maarten ________________________________________ From: Freeradius-Users <freeradius-users-bounces+freeradius-list=servervault.nl@lists.freeradius.org> on behalf of Arran Cudbard-Bell <a.cudbardb@freeradius.org> Sent: Thursday, September 21, 2017 10:47 AM To: FreeRadius users mailing list Subject: Re: Using existing NTLM hashes rlm_ldap no longer strips off password headers (as it did in v2). {ntlm} is not a supported header. It doesn't to any kind of hashing scheme, you need to use nt or nthash. You can use rlm_pap to do password normification only, by listing it after ldap, but before mschap/eap in the authorize section of the inner tunnel server, then removing any references to the pap module in the authenticate section of the inner tunnel server. rlm_pap will process any Password-With-Header attributes, converting them into the correct attribute and adding them to the control list. We should probably move this out into a separate module in v4, but that's the way it's done for v3. -Arran
On 21 Sep 2017, at 17:21, Maarten <freeradius-list@servervault.nl> wrote:
Hi all,
Thanks Arran and Alan for your responses. I'll see if I can get Freeradius to bind to LDAP as the user that is authenticating, and depending on the result, succesfully auithenticate the user.
Can't do that with PEAP or TTLS-MSCHAPv2 though, so you'll be limited to TTLS-PAP. Better getting it working the way I explained. -Arran
participants (3)
-
Alan Buxey -
Arran Cudbard-Bell -
Maarten