How to use different ldap-modules?

Stefan.Neis at t-online.de Stefan.Neis at t-online.de
Wed Jun 22 10:59:01 CEST 2005 

        Hi,

> I am really stuck :-(
>   
> Let me try to explain what I inted to do:
>   
> 1.) PAP is just the clear-text password???
> -> I thought pap is hashing the password with a challenge (MD-5). This 
> means the client is then transmitting this Hash to the radius, which 
> might hold the password in cleartext or as a MD-5-Hash as well. Either 
> comparing the Hashes or the passwords

No.

> So I want to the server to hold a crypted Password (MD-5) for PAP, but 
> retrieving that from the ldap server.

In fact, that wouldn't even work if you where correct, as for encrypting
password you typically add a random seed before hashing, so if you build
two password hashes, they are different even for the same password (to
avoid "replay attacks" in whatever flavour).

> 2.) I do not want to do any binding to the ldap for authentication!
>     I just want to retrieve the information from the ldap, but then 
> authenticate only by the radius itself!!

Gettig the plaintext password from the LDAP server should FreeRadius allow
to always work.

Some more details on the protocols, if you are interested:
PAP: The RADIUS client takes the password and XORs it with a hash value
obtained from the RADIUS secret that the client shares with the server and
transmits the "encrypted" password. The server does the same computation
and obtains the cleartext password. If it knows the cleartext password from
your LDAP-Server it checks it and is done, if it knows a hash value from
your LDAP-Server, it computes the hash value of the password it obtained
from the client and compares the hash values.

CHAP: During the authentication process, the machine trying to authenticate
gets a challenge and responds to it, based on the cleartext password. The
RADIUS client (i.e. the NAS) takes CHAP challenge and CHAP response and sends
both of them to the RADIUS server. The server takes the cleartext password
and checks that the given response is correct for the given challenge. If the
server cannot get the cleartext password is cannot verify the CHAP data.

MS-CHAP: Essentially the same with an initially somewhat less secure method
for computing responses to challenges (probably to conform with US export
laws of that time), meanwhile "updated" to use a reasonable protocol (if you
use NT-Response and not the old LM-Response). Mostly interesting because it
also computes/distributes session keys based on username and password.
Note that if an attacker can guess (or brute-force) the password, he also
obtains the communication keys, so this encryption is only worth mentioning,
if you put your users under strict password policies (i.e. use complicated
passwords, change them often and don't write them down). :-(
Note that contrary to CHAP, where you do need the cleartext password to verify
the response for the challenge, there's an intermediate result ("LM-Password"
or "NT-Password" depending on whether you're using NT-Response or LM-Response
mentioned above) which is sufficient to check the correctness of the response
(OTOH, it's also sufficient to steal said intermediate result to convince NAS
 and RADIUS server to give you access, so if your server isn't secure, it
 doesn't help if you only stored those intermediate results instead of the
 cleartext passwords).

        Regards,
	        Stefan

More information about the Freeradius-Users mailing list