Help for configuration 3.0.11
Brian Candler
b.candler at pobox.com
Thu Sep 29 13:08:20 CEST 2016
On 28/09/2016 18:21, Philipp Trenz wrote:
>
> As I understand, PEAP gets processed within the outer default-virtual
> server and this passes the inner MS-CHAPv2 to inner-tunnel. Now I'm
> not shure if it has to be processed through the mschap-module or
> through ldap-module.
Both.
> If mschap-module where or when does freeradius get the NT-Password
> from LDAP? Does the mschap-module trigger the ldap-module?
>
You use the ldap module during the "authorize" phase, which finds the
account and reads out the NT password hash. Then you use the mschap
module during the "authenticate" phase, which actually checks the
supplied password against the NT password hash.
It is very important to remember that FreeRADIUS runs the authorize
modules *first*, and the authenticate modules at the end.
There are a couple of good articles here, specifically for using
FreeRADIUS with a FreeIPA backend:
http://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
They also gives the fu required to get FreeIPA to store the ipaNTHash
attribute, and to selectively expose it to the RADIUS server.
(You don't want to expose your NT password hashes to the whole world;
they are essentially plain text passwords in their own right. A client
can use the NT password hash by itself to authenticate, without having
to brute force it)
Regards,
Brian.
More information about the Freeradius-Users
mailing list