FR and PEAP question
Matt Ashfield
mda at unb.ca
Tue Jun 10 15:17:10 CEST 2008
HI,
I’m now trying your suggestions for getting FR and PEAP working together.
Below is the result of a radtest that I did.
The password that is being supplied by radtest is in plain-text, should I be
supplying it in ntPassword-encrypted format?
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like:
authorize {
preprocess
chap
mschap
suffix
eap
Autz-Type Ldap1 {
redundant-load-balance{
unbldap
unbldap2
}
mschap
}
}
The radtest result is below:
rad_recv: Access-Request packet from host 127.0.0.1 port 32769, id=97,
length=55
User-Name = "mda"
User-Password = "abc123"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Tue Jun 10 10:07:34 2008 : Debug: +- entering group authorize
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 0
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[preprocess] returns ok
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[chap] returns noop
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[mschap] returns noop
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 0
Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No '@' in User-Name =
"mda", looking up realm NULL
Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No such realm "NULL"
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[suffix] returns noop
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: rlm_eap: No EAP-Message, not doing EAP
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[eap] returns noop
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 0
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[files] returns noop
Tue Jun 10 10:07:34 2008 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue Jun 10 10:07:34 2008 : Debug: auth: Failed to validate the user.
Tue Jun 10 10:07:34 2008 : Auth: Login incorrect: [mda] (from client
localhost port 0)
Tue Jun 10 10:07:34 2008 : Debug: Delaying reject of request 0 for 1 seconds
Tue Jun 10 10:07:34 2008 : Debug: Going to the next request
Tue Jun 10 10:07:34 2008 : Debug: Waking up in 0.9 seconds.
Tue Jun 10 10:07:35 2008 : Debug: Sending delayed reject for request 0
Sending Access-Reject of id 97 to 127.0.0.1 port 32769
Tue Jun 10 10:07:35 2008 : Debug: Waking up in 4.9 seconds.
Tue Jun 10 10:07:40 2008 : Debug: Cleaning up request 0 ID 97 with timestamp
+17
Tue Jun 10 10:07:40 2008 : Debug: Ready to process requests.
Any assistance is appreciated.
Thanks
Matt
mda at unb.ca
-----Original Message-----
From: Thibault Le Meur [mailto:Thibault.LeMeur at supelec.fr]
Sent: Monday, May 26, 2008 11:00 AM
To: mda at unb.ca; FreeRadius users mailing list
Subject: Re: FR and PEAP question
Matt Ashfield a écrit :
>
> Hi,
>
> We’re looking into using PEAP with MSChapV2, instead of PAP (don’t
> want to use the SecureW2 client anymore) so are investigating ways to
> store the password in LDAP.
>
> According to
> http://deployingradius.com/documents/protocols/compatibility.html ,the
> options are storing the password in Clear-Text or in an NT Hash
> (ntlm_auth).
>
> In talking with our LDAP people, I was told the following:
>
> SunOne does not support nt-hash passwords. Supported formats are
> CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.
>
> Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5,
> NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and
> SSHA512.
>
This means that your userPassword attribute must contain your password
in the previously mentionned has forms. This userPassword attribute is
used internally by your LDAP directory in order to authenticate your
access (bind) to the LDAP server.
> It sounds to me like if we want to do PEAP/MSChapV2 we’d have to store
> the password in cleartext? I would just like to verify this via this list.
>
Not necessarily. You may _not_ want to use ldap binding as the
authentication process, but only use your LDAP directory as a database
backend in which FR will read a given ldap attribute (different from
'userPassword') and maps it to the NT-Hash version of the user password.
In other words (setup for FR1.7):
* in your LDAP directory entries add a new attribute (that will hold the
NT-Hash version of the user password)
* update the configuration file ldap.attrmap so that the new ldap
attribute maps to the radius NT-Password attribute
* setup your rlm_ldap module and use it in the authorize section (NOT
the authenticate section)
* don't forget to use the mschap module in your authorize section (after
the ldap one) so that the MS-CHAP Authentication will see the encrypted
user password and sets Auth-Type accordingly
Hope this helps,
Thibault
> Any advice is appreciated.
>
> Thanks
>
> Matt
>
> mda at unb.ca
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080610/f5c6dcb3/attachment.html>
More information about the Freeradius-Users
mailing list