LDAP/MSCHAP

Whitlow, Michael mwhitlow at bumail.bradley.edu
Tue Nov 15 20:53:10 CET 2011


I wanted to say thanks to everybody from this list who has given me a hand over the past few weeks.  I have successfully configured Freeradius to authenticate 802.1X wireless clients from an AD domain and assign them the appropriate VLAN tag based on AD/LDAP group membership.  Many thanks to everybody.  

-----Original Message-----
From: freeradius-users-bounces+mwhitlow=bumail.bradley.edu at lists.freeradius.org [mailto:freeradius-users-bounces+mwhitlow=bumail.bradley.edu at lists.freeradius.org] On Behalf Of Sven Hartge
Sent: Sunday, November 13, 2011 8:39 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: LDAP/MSCHAP

Andreas Rudat <rudat at endstelle.de> wrote:
> Am 12.11.2011 23:00, schrieb Sven Hartge:

>> This also means you have to protect those Hashes inside your database
>> like a raw cleartext password, as you can authenticate to any Windows
>> box with the knowledge of the NT/LM-Hash.
>>
>> This has been exploitet by several Windows trojan horses, which
>> grabbed to NT-Hash from the Administrator user to login into other
>> boxes on the network using the same password (or worse: the domain
>> controller).

> Ah much thanks for that clearing, so both is bad no matter which
> mechnism is used.

Yes. Storing the NT-Hash has the advantage of not completley exposing
the cleartext password to a possible intruder. Storing the LM-Hash is
just dumb, because a) it limits the the length of the password to 16
characters and b) LM-Hash is easily broken in seconds by todays
computers.

Storing the raw cleartext password is as bad, but it enables one to use
other challange-handshake auths, if needed.

I chose to store the raw cleartext password in LDAP, but in a different
attribute than the normal userPassword.

This way, if my LDAP servers ever get compromised (or I mess up with an
ACL, enabling anyone to read the cleartext password), just the
WLAN/Dialup-Password of a user is revealed and not the master password
for the account, which is used for mail, login in to computers, etc.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list