Enterasys Wireless controller with Mgmt user authentication via RADIUS MSCHAP

Alan Alejandro Villaverde alan.villaverde at gmail.com
Thu Oct 30 01:35:15 CET 2014


The only way I found to make it works is setting the following lines in the
user file:

vi users:

avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"

It works, but how do you handle 1000 users for example? It turns very
difficult to manage the user passwords.

For instance, if the user change the password in the linux box, then you
need to edit the users file to replicate that password.

I have running tacacs+ in the same box, and the user only has to use an
unique password for radius and tacacs defined by passwd. I am using PAM
authentication for this.


On the other hand, If I work with PAP I can handle the users like a Linux
user, so the managament is easier and it depends on the final user. The
user can access the linux box and change his password with a simple passwd
and all is replicated for tacacs and freeradius. It is the way how is
working today, but I was requested to set MSCHAP authentication due to
security audits.

When user try to access wireless controller, he puts his password and then
radius checks the password with the passwd file or shadow file without any
necesity of "editing radius users file"

I think I am missing something regarding how to set MSCHAP authentication,
and that radius checks the password without using Cleartext-Password in the
USERS file.

I dont know if I am clear enough for you. Sorry for my poor english.



2014-10-29 19:27 GMT-03:00 Arran Cudbard-Bell <a.cudbardb at freeradius.org>:

>
> > On 29 Oct 2014, at 18:16, Alan Alejandro Villaverde <
> alan.villaverde at gmail.com> wrote:
> >
> > Hi Alan,
> >
> > Thx for your quick feedback!
> >
> > I finally got it working. I get it work setting Cleartext-Password into
> the users files as you explained to me.But, is it possible to use PAM with
> MSCHAP? what about with a lot of users? I read the FAQ, but I am not sure
> about how to make it works with MSCHAP and PAM.
>
> No.
>
> > Could you give me a clue?
>
> PAM and MSCHAP won't work. If you're authenticating using PAM you need the
> Cleartext-Password available
> which you don't have with MSCHAP.
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS development team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Alan Alejandro Villaverde.

                                    ,JL.
                                  j@, Zv
                                uJ.u at qJ
                              :LBO:v1
                           :r1@  MB
                          G1 rB8Ur          ,
                         r at Ei  O        .7  @.
                       :N,:BBO05v,:, :7  u  Or
                      vM at r:E: rqr,:  .v  X  Or
                    7 at r v at U   ,@:::  5  .L  M:
                  YO:2 at OS.     .   .7:  N  iP
                  Y at riBr      ,:i:::  :q  ,q.
                    qk              :ii  YO.
                             iv7r77r   iGF              :7v7
                                    :u0u.   7Lj      ;5k1r7BN
                            7P552552v:      LUM1,  7FUi:..v at B
                                              ik7JMJ. ..,v at rk.
      _..._                                    Y8. vL: .5 at v E.
    .'     '.                                 ui,N: .G.O@:  @
   /  _   _  \                              .P:   J7LEBO   Bi
   | (o)_(o) |                             .1      i at B7  .MU
    \(     ) /                             2     :M at u  .uMi
    //'._.'\ \                            :k  :U at BOi:vSM2B
   //   .   \ \                            7E at B@B at O8PrMk ;B
  ||   .     \ \                                      @:  @r
  |\   :     / |                                     EM.  ;@
  \ `) '   (`  /_                                   .B7    0L
_)``".____,.'"` (_                 ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@
)     )'--'(     (           .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@
 '---`      `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B
                  :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141029/3b395dba/attachment.html>


More information about the Freeradius-Users mailing list