Freeradius in an AD environment on opensuse server
Alan DeKok
aland at deployingradius.com
Sat Aug 16 11:05:03 CEST 2008
Maurizio Cimaschi wrote:
> Alan DeKok wrote:
>> The *client* has to supply the MS-CHAP magic using the LAN-manager
>> password. Since the client always chooses NT-hashed passwords... using
>> LAN manager passwords is not possible.
>
> From the README is src/modules/rlm_mschap
...
> So it seems more a limit of the server.
No. The server ALREADY can use LM passwords to authenticate users, IF
one is supplied, AND the client supplies the LM fields of the MS-CHAP
response. Go read the source code to rlm_mschap.c
> Could it be possible to see in the debug if the two encrypted pwd are
> available ? if thy're there it could be possible to write a patch and,
> possibly, to attach directly to the AD (which seems to make that LM pwd
> available).
You don't need a patch. You can just add the dBCSpwd to ldap.attrmap.
But it won't help.
Why? Take a look at RFC 2548, and compare MS-CHAP v*1* to MS-CHAP
v*2*. There's no LM-Password fields on MS-CHAPv2. And PEAP uses
EAP-MSCHAPv2, not v1. Newer versions of Windows also do MS-CHAPv2, not v1.
So... the dBCSpwd field will only help if the client is doing
MS-CHAPv1. Which means PPP. Sometimes. For very old versions of Windows.
Nice, but not very helpful.
Alan DeKok.
More information about the Freeradius-Users
mailing list