Yet another PEAP/LDAP Question
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jan 25 17:39:01 CET 2006
Jon P. Giza wrote:
> Hello all:
>
> I am trying to setup a 802.1x WiFi authentication system using freeradius.
> My setup is as follows:
>
> Windows XP SP2 as the supplicant using PEAP/MSCHAPv2
> Cisco Aironet 1231
> Freeradius 1.1.0
> IBM Lotus Domino LDAP
>
> The process is mostly working - Freeradius binds to LDAP properly, the User
> gets authorized, Freeradius pulls the correct password hash from the Domino
> LDAP server.. But, then the MSCHAP portion fails. Portion of the log is
> shown below which I believe shows the problem.
>
> I am thinking that the problem is that I am not telling Freeradius how to
> hash the supplied password correctly to match the Domino password. The
> aggravating part is that we are using the exact same Domino LDAP server to
> authenticate our VPN users.
That's only relevant if the VPN is using MS-CHAP to authenticate, and
even then only if it's doing it by extracting the hash as opposed to
"some other" method.
>
> Full (sanatized) copy of the debug output is here:
> http://www.xbytenetworks.com/debug-log.txt
> Copy of Radiusd.conf is here: http://www.xbytenetworks.com/radiusd.conf
>
> Thanks in advance for any help you can offer.
>
> Jon
>
>
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for jon.giza
> radius_xlat: '(uid=jon.giza)'
> radius_xlat: 'OU=Waukesha,OU=NA,O=MyCo'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in OU=Waukesha,OU=NA,O=MyCo, with filter
> (uid=jon.giza)
> rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check items
That looks like the right format to be an NT hash. However, the default
radiusd.conf (and yours) says:
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
Having said that, I don't see any evidence of this so-called "figuring
out" in the rlm_ldap source code - it looks to me like it does this:
if password_attribute:
val = ldap_result_attr(password_attribute)
if password_header:
if val.startswith(password_header):
val = val.remove(password_header)
else:
error("no password header found")
check_items.add("Password", val)
i.e. a straight copy to User-Password with optional removal of a {type}
header
What you want to do is get the NT hash into the "NT-Password" attribute,
which you normally do in the ldap.attrmap section. By default this is
setup to do this:
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
...but from the looks of it your LDAP has the NT hash unadorned in the
"userPassword" attribute. So, comment out "password_attribute" in the
LDAP module, and set this in the ldap.attrmap file:
checkItem NT-Password userPassword
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user jon.giza authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 5
> modcall: leaving group authorize (returns updated) for request 5
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 5
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 5
> rlm_mschap: Told to do MS-CHAPv2 for jon.giza with NT-Password
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> modcall[authenticate]: module "mschap" returns reject for request 5
> modcall: leaving group MS-CHAP (returns reject) for request 5
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns reject for request 5
> modcall: leaving group authenticate (returns reject) for request 5
> auth: Failed to validate the user.
> Login incorrect: [jon.giza/<no User-Password attribute>] (from client
> wifi.myco.com port 0)
> PEAP: Tunneled authentication was rejected.
> rlm_eap_peap: FAILURE
> modcall[authenticate]: module "eap" returns handled for request 5
> modcall: leaving group authenticate (returns handled) for request 5
> Sending Access-Challenge of id 152 to 10.100.224.235 port 1645
> EAP-Message =
> 0x010800261900170301001b1bb3ec40925325e30990ce3b14a78af7abc1f7222d06716740d2
> ff
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x132496908cd3121e6967d7ddafcdd795
> Finished request 5
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list