Combining EAP, MSCHAP and LDAP
Hi, Can anyone help advise if FreeRADIUS is suitable without any other changes to the existing infrastructure at my institution? If so, any advice on the best way to implement would be appreciated. I am looking at options for replacing MS NPS with basically something better that works and is debuggable. FreeRadius looks the best option. Our setup is a little complicated. Wireless users authenticate with EAP type PEAP, the inner authentication being done via MSCHAPv2. At the backend, we have a *nix based LDAP server with a particular attribute set for if a user is permitted to access the wireless network. Passwords are stored in an encrypted format. When a user binds, they can not see the resource attribute saying if they are permitted to use wireless. The LDAP information is pushed into active directory, where a wireless user group is created and populated by those who have the wireless flag set. Currently NPS authenticates against AD and checks this group. My preference would be to leave any windows stuff out of the equation. I followed a couple of online guides and have had FreeRadius successfully authenticate users against AD, however I then found something saying if I wanted to check groups I would have to use LDAP. Following the information in the Dirk van der Walt book, it states that you can bind to LDAP as a user but are limited to PAP authentication or you can read the userPassword attribute which must be plain text if MSCHAP is needed. Neither sounds suitable for what I need. Is it possible for FreeRadius to use EAP, MSCHAP, check a LDAP attribute and an encrypted password? As the password is encrypted and of little use, our LDAP expert suggested that we bind using a system account to check the account exists and has rights for wireless (I have this bit working), then to authenticate a bind is made as the user. Does this sound reasonable? Would binding to the AD server as an LDAP server offer any better avenue? As this is currently a proof-of-concept lab exercise, we do not want to make any changes to our existing infrastructure if possible. If that is required, giving users permission to see their wireless attribute in LDAP seems like the least painful. Sorry for the rambling posts, I'm in the newbie situation of being faced with many paths open to me, and not really knowing the best one to take. Yours DaveH
I followed a couple of online guides and have had FreeRadius successfully authenticate users against AD, however I then found something saying if I wanted to check groups I would have to use LDAP.
Following the information in the Dirk van der Walt book, it states that you can bind to LDAP as a user but are limited to PAP authentication or you can read the userPassword attribute which must be plain text if MSCHAP is needed. Neither sounds suitable for what I need.
Or NT-Password.
Is it possible for FreeRadius to use EAP, MSCHAP, check a LDAP attribute and an encrypted password?
MSCHAPv2 will work with the password in cleartext, or hashed as an NT-Password (MD4).
As the password is encrypted and of little use, our LDAP expert suggested that we bind using a system account to check the account exists and has rights for wireless (I have this bit working), then to authenticate a bind is made as the user. Does this sound reasonable?
No. MSCHAPv2 doesn't provide the cleartext password, so you will not be able to bind.
Would binding to the AD server as an LDAP server offer any better avenue?
No.
As this is currently a proof-of-concept lab exercise, we do not want to make any changes to our existing infrastructure if possible. If that is required, giving users permission to see their wireless attribute in LDAP seems like the least painful.
Best bet is to use your LDAP directory for authorisation, and your AD server for authentication. There are quite a few guides on setting up AD with FreeRADIUS. The LDAP module supports an 'access' attribute, and will allow you to do group lookups. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Best bet is to use your LDAP directory for authorisation, and your AD server for authentication. There are quite a few guides on setting up AD with FreeRADIUS.
The LDAP module supports an 'access' attribute, and will allow you to do group lookups.
Thanks, I never thought of splitting the two functions between the two systems. I will give that a go, but may be posting again if I'm stuck! Dave
Hi,
Can anyone help advise if FreeRADIUS is suitable without any other changes to the existing infrastructure at my institution? If so, any
well, that depends on your existing infrastructure! ;-)
Our setup is a little complicated. Wireless users authenticate with
this sounds like quite a basic setup. the obvious choice is yo use the mschap module with ntlm_auth for the authentication and the LDAP functionality for checking your group memberships to decide policy. you DO have issues with AD if you want to use the LDAP module for authentication - but you dont need to do that..and dont want to do that alan
On 09/12/13 08:45, David Hartburn wrote:
Hi,
Can anyone help advise if FreeRADIUS is suitable without any other changes to the existing infrastructure at my institution? If so, any advice on the best way to implement would be appreciated.
I am looking at options for replacing MS NPS with basically something better that works and is debuggable. FreeRadius looks the best option.
Our setup is a little complicated. Wireless users authenticate with EAP type PEAP, the inner authentication being done via MSCHAPv2. At the backend, we have a *nix based LDAP server with a particular attribute set for if a user is permitted to access the wireless network. Passwords are stored in an encrypted format.
Which encrypted format? Unless it's the NT hash (MD4 of UCS16 encoding of password) then you're out of luck I'm afraid, as MSCHAP requires plaintext or NT hash. See: http://deployingradius.com/documents/protocols/compatibility.html
you can read the userPassword attribute which must be plain text if MSCHAP is needed. Neither sounds suitable for what I need.
Is it possible for FreeRadius to use EAP, MSCHAP, check a LDAP attribute and an encrypted password?
Not unless it's the NT hash, no.
exists and has rights for wireless (I have this bit working), then to authenticate a bind is made as the user. Does this sound reasonable?
MSCHAP does not give the RADIUS server a username & password, so you can't "bind as" the user. Instead you get a challenge and response value, that need to be checked using a cryptographic algorithm that takes username & NT hash as inputs. So you need to store NT hash (or cleartext, which can be used to generate it). Cheers, Phil
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
David Hartburn -
Phil Mayers