Enterasys Wireless controller with Mgmt user authentication via RADIUS MSCHAP

Alan DeKok aland at deployingradius.com
Thu Oct 30 15:49:24 CET 2014 

Alan Alejandro Villaverde wrote:
> The only way I found to make it works is setting the following lines in
> the user file:
> 
> vi users:
> 
> avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"

  Don't do that.  You were told to not do that.  It's not necessary.
It's wrong.

> It works, but how do you handle 1000 users for example? It turns very
> difficult to manage the user passwords.

  You put the passwords in a database.  That's what databases are for,

> For instance, if the user change the password in the linux box, then you
> need to edit the users file to replicate that password.

  i.e. you store the passwords in 2 places, so when the password
changes, it has to be changed in both places.

  That's not a surprise.

> I have running tacacs+ in the same box, and the user only has to use an
> unique password for radius and tacacs defined by passwd. I am using PAM
> authentication for this. 

  I have no idea what that means.

> On the other hand, If I work with PAP I can handle the users like a
> Linux user, so the managament is easier and it depends on the final
> user. The user can access the linux box and change his password with a
> simple passwd and all is replicated for tacacs and freeradius. It is the
> way how is working today, but I was requested to set MSCHAP
> authentication due to security audits.

  MS-CHAP isn't much more secure than PAP.

> When user try to access wireless controller, he puts his password and
> then radius checks the password with the passwd file or shadow file
> without any necesity of "editing radius users file"

  MS-CHAP is incompatible with /etc/passwd.  It's impossible to use them
both.

> I think I am missing something regarding how to set MSCHAP
> authentication, and that radius checks the password without using
> Cleartext-Password in the USERS file.

  The server doesn't care where it gets the password from.  It doesn't
matter if it's the "users" file, a database, or anywhere else.

  The server DOES care about the format of the password.  MS-CHAP
requires clear-text passwords, *or* NT hashed passwords.  Neither format
can be stored in /etc/passwd.

  It's impossible to "work around" this.  Don't even try.

  Alan DeKok.

More information about the Freeradius-Users mailing list