Wireless WPA2 enterprise Radius authentication

[Maurice James]

I will give it another try. I've been trying to the last hour to get the
clear text password policy to stick to a user. Every time I run the radius
debug I see hashed value passed from LDAP. I have to search online for the
instructions on how to get 389-ds server to use clear text. Thanks for all
the help and advice all. This is one of the most responsive lists that I
have ever been a member of













-----Original Message-----
From: freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org
[mailto:freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org]
On Behalf Of John Dennis
Sent: Wednesday, October 27, 2010 7:44 PM
To: FreeRadius users mailing list
Cc: Sven Hartge
Subject: Re: Wireless WPA2 enterprise Radius authentication

On 10/27/2010 07:11 PM, Sven Hartge wrote:
> You need a password in the clear in your LDAP directory, not hashed. I 
> use a different (self defined) attribute in my LDAP directory to do 
> this and use ldap.attrmap to map this attribute (called 
> gifb-NetzPassword in my
> schema) to the required RADIUS-Attribute-Name:
>
> checkItem       Cleartext-Password              gifb-NetzPassword

Sven knows this but probably just forgot to mention this. No matter which
ldap attribute you choose to store the clear text password in make sure it
is absolutely locked down with LDAP ACI's (Access Controls). 
Consult your LDAP documentation for the exact syntax since it tends to vary
with different servers. The ACI should permit only the LDAP administrator
and the radius user (the special user account assigned exclusively to the
radius *server*) to access the password attribute.

You may additionally provide an extra level of protection if some one gets
access to the actual disk files (or backup's) of the LDAP store by asking
your ldap server to reversibly encrypt the attribute used to store the
cleartext password. Not all LDAP servers have this feature but many do.

Finally, many people would argue it's never a good idea to store cleartext
passwords under any circumstance. There is much validity to that argument
and you should give it careful consideration.

Another option besides storing cleartext is to use a multivalued LDAP
attribute with different hashes, including the nt hash. But whether you go
the cleartext route or the multivalued password attribute route you'll have
to get your users to renter their passwords so you can generate the hashes.
Consult your LDAP documentation, many LDAP servers can be configured when
storing a password to generate a variety of hashes and then throw the
cleartext away leaving only the specified hashes in LDAP.

--
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html