Problem with configuring freeradius for WPA with LDAP having MD5 paswords

sankalpk sankalpk at tulip.net
Wed Feb 25 11:45:09 CET 2009


Hi Ivan,

Thanks a lot for the guidance. I rectified the problem. The debug mode 
shows that it is receiving the request from the WAN IP of the IP 
(192.168.104.xxx) , while the NAS-IP appeared to be the its LAN IP 
(192.168.1.xxx). As a result, Radius Server was trying to send the 
Access-Challenge to the LAN IP of the Access Point, which was not 
reachable, hence the problem.

However, I stuck up at a later stage. The authentication is happening 
when the users are defined in the "users" file. Then I conencted the 
Radius Server to LDAP, which is working only if the "UserPassword" in 
LDAP is stored in plain-text. But my LDAP server contains all the 
paswords in md5 encypted format. I could not get a solution for 
authenticating users when their paswords are stored in MD5.

I tried to generate MD5 password from the client machine (which is a 
windows XP) using a small script in C#, but the MD5 generated passwords 
from C# differ from those in LDAP ( quite strange !!!)

When I supply the MD5 encrypted password (if passwords are encrypted 
using slappasswd in LDAP server) from the Windows XP client, it works 
fine. Can somebody help me in getting users authenticated with LDAP if 
the passwords are in MD5??

I went through a document in the Internet that says EAP does not support 
MD5 hashes, only EAP-GTC and PAP does.
Can someone suggest a solution for getting users authenticated through 
AP whith their passwords stored in MD5??

Thanks and Regards,
SaN

>>I've been trying to autheticate a Wireless Acess Point through a Radius
>>Server for last 1 month, but things doesn't seem to be working for me.
>>The Radius Server is authenticating when I test it with the radtest
>>command. It also worked for a Cisco 2950 switch. But no luck when I use
>>the Access Point. I have tried 3 different accesspoints, including
>>Linksys, D-Link and the Firepro, but none of them worked.
>>
>>I do not get any error when I check the radius in debug mode. It says
>>"Sending Access-Challange to ....", but the client doesn't get
>>authenticated. I seriously need help on this.
>>
>>1. Do I really need certificates for authentication?
>>    
>>
>
>Yes. That conversation is EAP-TLS. *You* have selected that
>authentication method when you were creating the connection.
>
>  
>
>>Is there a way to
>>achieve WPA with UserName and Password, without installing certificates?
>>    
>>
>
>Yes. You can do PEAP with usernames and passwords. You might need to
>install CA certificate if you are signing your own.
>
>  
>
>>2. Should the AP send "User-Password" attribute to the Radius Server?
>>    
>>
>
>No.
>
>  
>
>>Or
>>should the Radius Server send an Access-Challange to the AP, and AP does
>>matching and all.
>>    
>>
>
>AP does nothing. It jast passes the challenge to the users machine.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>  
>


DISCLAIMER: This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may containconfidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. The recipient acknowledges that Tulip Telecom Limited is unable to exercise control or ensure or guarantee the integrity of/overthe contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of Tulip Telecom Limited. Before opening any attachments please check them for viruses!
  and defects.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090225/71992693/attachment.html>


More information about the Freeradius-Users mailing list