Combining EAP, MSCHAP and LDAP

Phil Mayers p.mayers at imperial.ac.uk
Mon Dec 9 10:26:05 CET 2013


On 09/12/13 08:45, David Hartburn wrote:
> Hi,
>
> Can anyone help advise if FreeRADIUS is suitable without any other
> changes to the existing infrastructure at my institution? If so, any
> advice on the best way to implement would be appreciated.
>
> I am looking at options for replacing MS NPS with basically something
> better that works and is debuggable. FreeRadius looks the best option.
>
> Our setup is a little complicated. Wireless users authenticate with EAP
> type PEAP, the inner authentication being done via MSCHAPv2. At the
> backend, we have a *nix based LDAP server with a particular attribute
> set for if a user is permitted to access the wireless network. Passwords
> are stored in an encrypted format.

Which encrypted format? Unless it's the NT hash (MD4 of UCS16 encoding 
of password) then you're out of luck I'm afraid, as MSCHAP requires 
plaintext or NT hash.

See:

http://deployingradius.com/documents/protocols/compatibility.html

> you can read the userPassword attribute which must be plain text if
> MSCHAP is needed. Neither sounds suitable for what I need.
>
> Is it possible for FreeRadius to use EAP, MSCHAP, check a LDAP attribute
> and an encrypted password?

Not unless it's the NT hash, no.

> exists and has rights for wireless (I have this bit working), then to
> authenticate a bind is made as the user. Does this sound reasonable?

MSCHAP does not give the RADIUS server a username & password, so you 
can't "bind as" the user. Instead you get a challenge and response 
value, that need to be checked using a cryptographic algorithm that 
takes username & NT hash as inputs. So you need to store NT hash (or 
cleartext, which can be used to generate it).

Cheers,
Phil


More information about the Freeradius-Users mailing list