Freeradius-Users Digest, Vol 181, Issue 4

Gleb Lisikh in4bit.general at gmail.com
Sun May 3 19:10:28 CEST 2020


>> I was able to overcome the need for Cleartext password in MSCHAPv2 EAP
inner tunnel authentication by adding python to
/usr/local/etc/raddb/sites-enabled/inner-tunnel, as well as returning
NT-Password in the config return. No other types of hashing have been
otherwise recognized by mschap.

 > Alan: Yes, that's what you were told.
Not really... unless I completely missed one of your responses, Alan. The
advice was to use PAP for authentication and LDAP or SQL for storing an
encrypted password. None of those work for me due to the the client
authentication requirements, which I clearly stated.

> >It seems like a workable solution for now, unless this would be
considered as not in line with best practices and/or will have some
undesirable consequences.

   > Alan: As said before, Cleartext-Password and NT-Password are your only
options.  As such, using them is necessary.
Again, had NT-Password been mentioned somewhere I would have tried it right
away. Sorry if I did miss something in your responses. But your overall
hints and guidance were very useful! for my in finding the solution.

 > Alan: This isn't about "best practices" or "undesirable consequences".
Nothing else works, so these are your *only* practices.
Good to know. Thanks for confirming.

We can close this thread. Thanks again!

Gleb



On Sun, May 3, 2020 at 6:00 AM <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Proxy when SIP Request method is MESSAGE (João Vitor Arruda)
>    2. Re: Proxy when SIP Request method is MESSAGE (Matthew Newton)
>    3. Re: Best/simplest authentication method to validate an
>       encrypted user/password against encrypted known-good. (Gleb Lisikh)
>    4. Re: Best/simplest authentication method to validate an
>       encrypted user/password against encrypted known-good. (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 2 May 2020 10:30:31 -0300
> From: João Vitor Arruda <joao.arruda at gmail.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Proxy when SIP Request method is MESSAGE
> Message-ID:
>         <CABQ6UzXVOeDBqqeozA-6L92HM=ZW4b0q6gnkHzD7LX=
> B6n32gg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> I currently have FS being used as a B2BUA for voice calls (INVITE SIP
> Request method) but I also need to process some MESSAGE type SIP
> requests.
>
> I'm wondering if there is a way to configure FS to completely proxy
> those messages.without acting like a B2BUA.
>
> In my initial try I got a "chatplan" configured to handle those
> messages with a lua script that use: freeswitch.Event("info",
> "SMS::SEND_MESSAGE");
>
> This kinda working but the problem i'm having is that FS will reply
> "202 Accepted" to the original sender before it even forward it to the
> final destination which breaks our ability to really confirm that the
> message was accepted by the final destination.
>
> Joao Arruda
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 2 May 2020 15:54:43 +0100
> From: Matthew Newton <mcn at freeradius.org>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Proxy when SIP Request method is MESSAGE
> Message-ID: <472f48e9-50f1-1b8a-6a9d-3dbbbabc0231 at freeradius.org>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 02/05/2020 14:30, João Vitor Arruda wrote:
> > I currently have FS being used as a B2BUA for voice calls (INVITE SIP
> > Request method) but I also need to process some MESSAGE type SIP
> > requests.
>
> Wrong list...
>
> --
> Matthew
>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 2 May 2020 13:24:13 -0400
> From: Gleb Lisikh <in4bit.general at gmail.com>
> To: Alan DeKok <aland at deployingradius.com>
> Cc: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Best/simplest authentication method to validate an
>         encrypted user/password against encrypted known-good.
> Message-ID:
>         <
> CAKMAD3nrkKwkkeUam9cYVA9yuO9bqXe3XC8MmUu+1PJttfnzyw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> I was able to overcome the need for Cleartext password in MSCHAPv2 EAP
> inner tunnel authentication by adding python
> to /usr/local/etc/raddb/sites-enabled/*inner-tunnel,* as well as returning
> *NT-Password* in the config return.
> No other types of hashing have been otherwise recognized by mschap.
>
> It seems like a workable solution for now, unless this would be considered
> as not in line with best practices and/or will have some undesirable
> consequences.
>
> Any comments are welcome.
>
> Thank you,
>
> Gleb
>
>
>
>
> On Fri, May 1, 2020 at 5:13 PM Gleb Lisikh <in4bit.general at gmail.com>
> wrote:
>
> > Thanks a lot Alan! I am making progress at least in my understanding of
> > how everything flows.
> >
> > The client uses EAP and  MSCHAPv2 for EAP/TLS inner-tunnel
> authentication.
> > And mschap requires Cleartext-Password for known good password. Is there
> > any way to substitute such password with an encrypted (e.g. SHA1) string?
> > To your earlier point, I can do the following for PAP (in default or/and
> > inner-tunnel authorize section) to provide with a hashed password:
> > ##########
> > config = ( ('SHA-Password', 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d'),
> )
> > return (radiusd.RLM_MODULE_OK, reply, config)
> > #########
> >
> > But the Auth-Type is preset to MSCHAPv2, and the mschap demands for
> > Cleartext, and fails if it does not get it.
> >
> > Anything I can do to overcome this Cleartext problem?
> >
> > On a side note, I'd also rather not use SQL or LDAP for proving an
> > encrypted password, but this does not seem to be solving the problem of
> > mschap needing only Cleartext either, unless I am terribly confused
> >
> > Regards,
> >
> > Gleb
> >
> >
> > On Wed, Apr 29, 2020 at 6:02 PM Alan DeKok <aland at deployingradius.com>
> > wrote:
> >
> >> On Apr 29, 2020, at 5:03 PM, Gleb Lisikh <in4bit.general at gmail.com>
> >> wrote:
> >> > I'd like to be able to authenticate a user by comparing password
> >> provided
> >> > with the client's authentication request with what's in a password
> >> store.
> >> > It can be easily done by Clear-Text password, of course, but I cannot
> >> have
> >> > a known good password in that password store in Clear-Text form - only
> >> > encrypted (doesn't really matter how).
> >>
> >>   It does matter how.  FreeRADIUS has to understand the encrypted form
> in
> >> order to authenticate the user.
> >>
> >> > So ideally, i'd like to get an encrypted password string from a
> client,
> >> and
> >> > compare it with an encrypted password string retrieved from the known
> >> good
> >> > password store.
> >>
> >>   RADIUS doesn't work that way.
> >>
> >>   You can get the clear-text password from the user.  It's in the
> >> User-Password attribute.  You can get the encrypted password from a
> >> database such as SQL or LDAP.  The "pap" module will then compare the
> two.
> >>
> >> > The retrieval of the known good password is done in the
> >> > python module. And I'd rather not use SQL instead for the Python.
> >>
> >>   The python module should just hand the encrypted password to
> >> FreeRADIUS, and let FreeRADIUS do the work.
> >>
> >>   See mods-available/pap for documentation on what encrypted formats are
> >> supported.
> >>
> >> > EAP methods encrypt the whole message using the user passwords as a
> key
> >> (as
> >> > far as I understand it), which complicates the matter...
> >>
> >>   No.  EAP methods do something rather more complex, like TLS.
> >>
> >>   Alan DeKok.
> >>
> >>
>
>
> ------------------------------
>
> Message: 4
> Date: Sat, 2 May 2020 15:01:33 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: glisikh at in4bit.com
> Cc: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Best/simplest authentication method to validate an
>         encrypted user/password against encrypted known-good.
> Message-ID: <8AC079A7-17C4-4B20-BD06-747DB1BB0105 at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
> On May 2, 2020, at 1:24 PM, Gleb Lisikh <in4bit.general at gmail.com> wrote:
> >
> > I was able to overcome the need for Cleartext password in MSCHAPv2 EAP
> inner tunnel authentication by adding python to
> /usr/local/etc/raddb/sites-enabled/inner-tunnel, as well as returning
> NT-Password in the config return.
> > No other types of hashing have been otherwise recognized by mschap.
>
>   Yes, that's what you were told.
>
> > It seems like a workable solution for now, unless this would be
> considered as not in line with best practices and/or will have some
> undesirable consequences.
>
>   As said before, Cleartext-Password and NT-Password are your only
> options.  As such, using them is necessary.
>
>   This isn't about "best practices" or "undesirable consequences".
> Nothing else works, so these are your *only* practices.
>
>   Alan DeKok.
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 181, Issue 4
> ************************************************
>


More information about the Freeradius-Users mailing list