OpenLDAP+FreeRadius Encryption

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Feb 2 00:38:22 CET 2016 

> On Feb 1, 2016, at 6:09 PM, Greg Mischel Smith <gregms at gmail.com> wrote:
> 
> We're using currently using freeradius 2.x and migrating to a new server
> where we will be using 3.0.4.
> 
> Our OpenLDAP server has plaintext passwords currently, but as I migrate the
> server over, I would like to encrypt and salt them (something like SSHA).
> Both the LDAP and Radius servers will be on the same box.
> 
> The problem devices is our wireless clients made up of Macs and phones
> (Android and iPhone) and the traffic passes through a Cisco WLC.
> 
> If I want to encrypt, then it seems I would have to use EAP-GTC along with
> PAP. The Macs seem to only want to authenticate with MSCHAPv2. I found on
> Android phones if I don't set the Phase 2 authentication, it only checks
> MSCHAPv2, however if I force it to use GTC, then it authenticates
> correctly. I did notice in the logs using GTC, it has the ability to
> display the encrypted password in the clear. Didn't do this with MSCHAPv2.
> 
> So here are my questions:
> 1. Is there something I'm missing from what I've trying and seeing above?

iPhones can do TTLS-PAP which gives you the passwords in the clear.

Comment out mschap in your EAP config to disallow negotiation of mschap,
they'll try something else...

> 2. Is GTC and PAP with encrypted passwords less secure than using MSCHAPv2
> with Plain text passwords in LDAP (even though they are on the same box)?

If you're serious about security EAP-TLS is the only method that's widely
available and secure.

PEAP and TTLS are pretty bad when used with PAP/GTC/MSCHAPv2 inners.
They rely on the user correctly identifying the certificate presented by the
RADIUS server as being genuine.  It's not like HTTPS where you have at least
have a domain you can check against the CN, with 802.1X you have nothing
other than the SSID.

If the user can't do that, then their password is effectively compromised.

I heard rumours of an update to the EAP-PWD RFC that may allow salted
passwords to be used.  If that's correct, then the new version of EAP-PWD
would be the only user-name/password based EAP method that was secure, and
worked with hashed passwords.

> 3. Should Mac's be able to use GTC? I've read that with Cisco ISE, this can
> be force, but beyond that I couldn't come across any article discussing it.

Unsure, but in terms of functionality it's almost identical to TTLS-PAP
which OSX does support.

-Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160201/beec18a5/attachment.sig>

More information about the Freeradius-Users mailing list