How to use different ldap-modules?
Florian Prester
Florian.Prester at rrze.uni-erlangen.de
Wed Jun 22 11:12:17 CEST 2005
Stefan.Neis at t-online.de wrote:
> Hi,
>
>
>
>>I am really stuck :-(
>>
>>Let me try to explain what I inted to do:
>>
>>1.) PAP is just the clear-text password???
>>-> I thought pap is hashing the password with a challenge (MD-5). This
>>means the client is then transmitting this Hash to the radius, which
>>might hold the password in cleartext or as a MD-5-Hash as well. Either
>>comparing the Hashes or the passwords
>>
>>
>
>No.
>
>
>
>>So I want to the server to hold a crypted Password (MD-5) for PAP, but
>>retrieving that from the ldap server.
>>
>>
>
>In fact, that wouldn't even work if you where correct, as for encrypting
>password you typically add a random seed before hashing, so if you build
>two password hashes, they are different even for the same password (to
>avoid "replay attacks" in whatever flavour).
>
>
>
>>2.) I do not want to do any binding to the ldap for authentication!
>> I just want to retrieve the information from the ldap, but then
>>authenticate only by the radius itself!!
>>
>>
>
>Gettig the plaintext password from the LDAP server should FreeRadius allow
>to always work.
>
>Some more details on the protocols, if you are interested:
>PAP: The RADIUS client takes the password and XORs it with a hash value
>obtained from the RADIUS secret that the client shares with the server and
>transmits the "encrypted" password. The server does the same computation
>and obtains the cleartext password. If it knows the cleartext password from
>your LDAP-Server it checks it and is done, if it knows a hash value from
>your LDAP-Server, it computes the hash value of the password it obtained
>from the client and compares the hash values.
>
>CHAP: During the authentication process, the machine trying to authenticate
>gets a challenge and responds to it, based on the cleartext password. The
>RADIUS client (i.e. the NAS) takes CHAP challenge and CHAP response and sends
>both of them to the RADIUS server. The server takes the cleartext password
>and checks that the given response is correct for the given challenge. If the
>server cannot get the cleartext password is cannot verify the CHAP data.
>
>MS-CHAP: Essentially the same with an initially somewhat less secure method
>for computing responses to challenges (probably to conform with US export
>laws of that time), meanwhile "updated" to use a reasonable protocol (if you
>use NT-Response and not the old LM-Response). Mostly interesting because it
>also computes/distributes session keys based on username and password.
>Note that if an attacker can guess (or brute-force) the password, he also
>obtains the communication keys, so this encryption is only worth mentioning,
>if you put your users under strict password policies (i.e. use complicated
>passwords, change them often and don't write them down). :-(
>Note that contrary to CHAP, where you do need the cleartext password to verify
>the response for the challenge, there's an intermediate result ("LM-Password"
>or "NT-Password" depending on whether you're using NT-Response or LM-Response
>mentioned above) which is sufficient to check the correctness of the response
>(OTOH, it's also sufficient to steal said intermediate result to convince NAS
> and RADIUS server to give you access, so if your server isn't secure, it
> doesn't help if you only stored those intermediate results instead of the
> cleartext passwords).
>
> Regards,
> Stefan
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
Hm,
thanks to Stefan. As I now see I had some lacks of kowledge and I did
not express myself exactly.
But I still have the Problem of LDAP-Authentication!?!
Why is the radius always trying to do ldap-authentication, even if it
receives only a pap-request?
Thanks
Florian
More information about the Freeradius-Users
mailing list