WPA2 Client Authentication using Radius and remote LDAP server

Christian Salway ccsalway at yahoo.co.uk
Wed Sep 19 23:00:14 CEST 2018


EAP comes in many forms but I imagine you are using MSCHAP which is a hash of the real password.

Both sides (server and client) compare their hashes for authentication so the plain-text password is never transferred across the network.

The password stored in active directory is also hashed. MSCHAP is similar in hashing principle to NTLM so the hashes can be compared between server and AD.

MSCHAP is massively flawed though and passwords can be worked out in 24hrs no matter the size or complexity, and LDAP does not encrypt the data when set to use EAP-MSCHAP.

You could try PEAP or TTLS but only Windows natively supports PEAP, leaving OSX with only MSCHAP and neither with TTLS. The better option is to use client certificate authentication.

> On 19 Sep 2018, at 18:41, Alan DeKok <aland at deployingradius.com> wrote:
> 
>> On Sep 19, 2018, at 5:04 AM, daada muyiwa via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> 
>> Is it an actual LDAP server?  Or is it Active Directory?       
>> ''Active directory''
> 
>  Then it's not a real LDAP server.  It's close. but not quite a real LDAP server.
> 
>>> Allow FreeRADIUS to read the "known good" password from LDAP, and it will Just Work.
>> 
>> How do I make Freeradius decrypt the EAP request and query the AD with the clear text password in order to authenticate a user.
> 
>  You don't.  It's impossible.  You need to follow the Active Directory configuration guide:
> 
> http://deployingradius.com/documents/configuration/active_directory.html
> 
>  Alan DeKok.
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list