Hi, I'm trying to get a freeradius server (v1.0.1) to work with CHAP and querying a Windows 2003 Active Directory server using LDAP. I've got LDAP working for PAP queries, but CHAP comes back with the "rlm_chap: Could not find clear text password". Now I've read the FAQ and followed those notes, but I'm not sure what the values should be for the "password_header", "password_attribute" and "password_radius_attribute"? Any help would be much appreciated, Thanks, Luke
Hi,
I'm trying to get a freeradius server (v1.0.1) to work with CHAP and
How about 1.1.2? Upgrading is easy, and it fixes at least one security bug.
querying a Windows 2003 Active Directory server using LDAP.
I've got LDAP working for PAP queries, but CHAP comes back with the "rlm_chap: Could not find clear text password".
AD and LDAP-mode don't work together. The AD server will not give away the user's attribute. If you want CHAP to work, you will need to use ntlm_auth. That's more work, but possible. Several people keep asking how this works every once in a while on this list, searching the archives and the FR website will help you get along. There's also a great tutorial on the topic, which is referenced here quite often by Charles Schwartz, see the archives for that one as well. Greetings, -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Stefan Winter wrote:
Hi,
I'm trying to get a freeradius server (v1.0.1) to work with CHAP and
How about 1.1.2? Upgrading is easy, and it fixes at least one security bug.
querying a Windows 2003 Active Directory server using LDAP.
I've got LDAP working for PAP queries, but CHAP comes back with the "rlm_chap: Could not find clear text password".
AD and LDAP-mode don't work together. The AD server will not give away the user's attribute. If you want CHAP to work, you will need to use ntlm_auth.
That is not correct. If you want to use *MS-CHAP* you must use ntlm_auth (or extract the NT hash another way). If you want to use CHAP i.e. plain-old chap as implemented by the rlm_chap module listed above, you MUST have the users plaintext password which AD does not maintain by default and even if it is told to, cannot be persuaded to give up.
Hi Phil, On 5 Jul 2006, at 17:43, Phil Mayers wrote:
Stefan Winter wrote:
Hi,
I'm trying to get a freeradius server (v1.0.1) to work with CHAP and How about 1.1.2? Upgrading is easy, and it fixes at least one security bug. querying a Windows 2003 Active Directory server using LDAP.
I've got LDAP working for PAP queries, but CHAP comes back with the "rlm_chap: Could not find clear text password". AD and LDAP-mode don't work together. The AD server will not give away the user's attribute. If you want CHAP to work, you will need to use ntlm_auth.
That is not correct. If you want to use *MS-CHAP* you must use ntlm_auth (or extract the NT hash another way).
If you want to use CHAP i.e. plain-old chap as implemented by the rlm_chap module listed above, you MUST have the users plaintext password which AD does not maintain by default and even if it is told to, cannot be persuaded to give up.
Any idea how IAS gets hold of it for CHAP? josh. Josh Howlett, Networking Specialist, University of Bristol. email: josh.howlett@bristol.ac.uk | phone: +44 (0)7867 907076 | internal: 7850
Josh Howlett <josh.howlett@bristol.ac.uk> wrote:
Any idea how IAS gets hold of it for CHAP?
IAS is incestuous with the rest of the Microsoft world. But even IAS can't do CHAP unless the "use reversible encryption" is set in AD. Once that's set, IAS uses magic secret bloated RPC calls to connect to AD, and get the password. The Samba guys are working on reverse engineering the protocol, but they're not done yet. Alan DeKok.
Stefan Winter wrote:
I've got LDAP working for PAP queries, but CHAP comes back with the "rlm_chap: Could not find clear text password".
AD and LDAP-mode don't work together. The AD server will not give away the user's attribute. If you want CHAP to work, you will need to use ntlm_auth.
Thanks for the responses guys. Unfortunately I need to support CHAP because it is used by an external global Dial-Up provider which the freeradius machine is authenticating for. The whole idea of using LDAP was because the machine was in the DMZ, and LDAP would allow us to lock it down more by only allowing the bind user access to certain parts of the AD tree. If I use ntlm_auth, the box will have to be joined to the domain (from my understanding) - wouldn't this represent quite a big security risk? Will ntlm_auth also do PAP (used by another provider authenticating against the server) where the password is in clear-text?
There's also a great tutorial on the topic, which is referenced here quite often by Charles Schwartz, see the archives for that one as well.
It's at http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf I believe (for anyone else which wants to have a look). Thanks, Luke
Luke <freeradius@luke.bpa.nu> wrote:
Unfortunately I need to support CHAP because it is used by an external global Dial-Up provider which the freeradius machine is authenticating for.
If the passwords are in AD your ONLY choice is to use IAS, and even then, only if ALL of the passwords are stored via what they call "using reversible encryption". Alan DeKok.
Alan DeKok wrote:
Luke <freeradius@luke.bpa.nu> wrote:
Unfortunately I need to support CHAP because it is used by an external global Dial-Up provider which the freeradius machine is authenticating for.
If the passwords are in AD your ONLY choice is to use IAS, and even then, only if ALL of the passwords are stored via what they call "using reversible encryption".
Thanks Alan - looks like it is not possible (we do not want to use IAS and store passwords using reversible encryption - which would also mean resetting every user's password). I'm going to need to talk to our global dial-up provider to see if they can send the radius request using anything other than CHAP if possible. Thanks again, Luke
participants (5)
-
Alan DeKok -
Josh Howlett -
Luke -
Phil Mayers -
Stefan Winter