PEAP/EAP-MSCHAPv2 with OpenLDAP

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Aug 2 22:17:49 CEST 2017


> I have FreeRadius 3 and OpenLDAP and I want to use PEAP + EAP-MSCHAPv2 for
> authentication.
> I have NT-hash stored in a custom LDAP attribute.
> 
> I am still finding contradicting information whether that setup is
> supported. Is it?
> If so, is NT-hash == MD4(user_password)?

Not quite, it's the password converted to UTF16-LE encoding and then run through MD4.

https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/src/modules/rlm_pap/rlm_pap.c#L995

There's a helpful utility called smbcrypt which is built at part of the server:

https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/src/modules/rlm_mschap/smbencrypt.c

you could probably use that to create the hashes.

The steps would be:

- Modify LDAP ACLs so only the RADIUS user can read your custom LDAP attribute (it's pretty much as good as cleartext because MD4 is very much broken).
- Add an entry in the user mapping to map <your custom password attr> := &control:NT-Password

https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-available/ldap#L116

- Call LDAP in the inner tunnel server to set the password attributes.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170802/de58c980/attachment.sig>


More information about the Freeradius-Users mailing list