LDAP FreeRadius and DLINK DWC.

Herwin Weststrate herwin at quarantainenet.nl
Tue Oct 13 10:40:32 CEST 2015 

On 13-10-15 10:32, Martin Rheumer wrote:
> Hi All,
> 
> We are looking at trying to implement WPA Enterprise with LDAP Auth,
> FreeRadius using a DLINK DWC-1000 Wifi Controller.
> I have spent the day trying to determine if the new version 3.0 and the
> inner tunnel now allows this to work
> over older versions and mailing list entries saying this will never work
> and I cant seem to figure a straight answer.
>
> ...
>
> [root at ho-radius raddb]# radtest martinr password 127.0.0.1:18120 0
> testing123
> Sending Access-Request Id 134 from 0.0.0.0:41385 to 127.0.0.1:18120
>         User-Name = 'martinr'
>         User-Password = 'password'
>         NAS-IP-Address = 10.0.0.40
>         NAS-Port = 0
>         Message-Authenticator = 0x00
> Received Access-Accept Id 134 from 127.0.0.1:18120 to 127.0.0.1:41385
> length 20
> [root at ho-radius raddb]# radtest -t mschap martinr password
> 127.0.0.1:18120 0 testing123
> Sending Access-Request Id 145 from 0.0.0.0:37203 to 127.0.0.1:18120
>         User-Name = 'martinr'
>         NAS-IP-Address = 10.0.0.40
>         NAS-Port = 0
>         Message-Authenticator = 0x00
>         MS-CHAP-Challenge = 0x062507387c1f6b17
>         MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000adc03505c874be4c4e5e7a7d6549ebd9beb0f752c40fc74f
> 
> Received Access-Reject Id 145 from 127.0.0.1:18120 to 127.0.0.1:37203
> length 38
>         MS-CHAP-Error = '\000E=691 R=1'
> (0) -: Expected Access-Accept got Access-Reject

As you can see here, using PAP authentication work, but MS-CHAP doesn't
work.

> (0)  ldap : Processing user attributes
> (0)  ldap :     control:Password-With-Header +=
> '{SSHA}sjcybNoAjvx2+LHSN9Z8zE0JEd0khiue'
> rlm_ldap (ldap): Released connection (4)

And here it shows why: you fetch a hash of a certain type from the
LDAP-server. MS-CHAP also uses hashing, but a different kind, those two
are incompatible> That's why "mailing list entries saying this will
never work".
The first radtest entry uses PAP authentication, which means the
password is available in plaintext and can be converted to any kind of hash.

There is an overview of the compatibility of hashes/authentication types
at http://deployingradius.com/documents/protocols/compatibility.html

-- 
Herwin Weststrate

More information about the Freeradius-Users mailing list