Porting eduroam from 2 to 3

Olivier Olivier.Nicole at cs.ait.ac.th
Thu Sep 28 10:08:03 CEST 2017 

Olivier <Olivier.Nicole at cs.ait.ac.th> writes:

> Thank you Alan,
>
> Alan DeKok <aland at deployingradius.com> writes:
>
>> On Sep 27, 2017, at 4:52 AM, Olivier <Olivier.Nicole at cs.ait.ac.th> wrote:
>>> So far, the authorize is OK, but the Auth-Type is set to inner-eap and
>>> it will not try another LDAP bind in the authentication section:
>>
>>   Because LDAP bind doesn't work with MS-CHAP.
>
> Yes, I know that.
>
>>> (8) ldap_wifi: EXPAND (&(csimAccountPermission=firewall)(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
>>> (8) ldap_wifi:    --> (&(csimAccountPermission=firewall)(uid=on))
>>> (8) ldap_wifi: Performing search in "ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" with filter "(&(csimAccountPermission=firewall)(uid=on))", scope "one"
>>> (8) ldap_wifi: Waiting for search result...
>>> (8) ldap_wifi: User object found at DN "uid=on,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
>>> (8) ldap_wifi: Processing user attributes
>>> (8) ldap_wifi: control:Password-With-Header += '{MD5}something=='
>>
>>   Read this page:
>>
>> http://deployingradius.com/documents/protocols/compatibility.html
>>
>>> (8) inner-eap: Peer sent packet with method EAP MSCHAPv2 (26)
>>> (8) inner-eap: Calling submodule eap_mschapv2 to process data
>>> (8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-eduroam
>>> (8) eap_mschapv2:   authenticate {
>>> (8) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>>> (8) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
>>> (8) mschap: Creating challenge hash with username: on at cs.ait.ac.th
>>> (8) mschap: Client is using MS-CHAPv2
>>
>>   MD5 hashed passwords won't work with MSCHAP.
>>
>>> In version2, I used to have:
>>
>>   And v2 also didn't work with MD5 hashed passwords and PEAP.
>
> I have a version 2 working, where the WiFi sends the password to
> FreeRadius and FreeRadius uses that password to bind to LDAP.

Obviously, that is not the way it was working. I tried the version2
server with -X and found out that it access the nt-hash password, not
the md5 one.

When adding the NT-password, it now works.

Thank you,

Olivier

> I have been pretty happy with letting LDAP do the authentication so far.
>
>>   You need to:
>>
>> a) put clear-text (or nt-hash) passwords into the DB
>>
>>   or
>>
>> b) use an EAP method which is compatible with MD5 passwords, such as EAP-TTLS with PAP.
>
> I have been trying to do that, following the tutorial on
> http://wiki.freeradius.org/guide/eduroam but I don't understand what
> need to be changed to that effect.
>
> Thanks,
>
> Olivier
>
>>   Pick one.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--

More information about the Freeradius-Users mailing list