RHEL 8, FreeRADIUS. LDAP, and Active Directory

[Matthew Newton]

On 06/06/2022 16:54, White, Daniel E. (GSFC-770.0)[AEGIS] via 
Freeradius-Users wrote:
> I am closer, but not quite there.
> 
> I got "radtest -x <user> <clear text password> localhost 0 testing123" to work.
> 
> I do not want passwords spewing over the network in cleartext,

They won't be going over the network in cleartext.

Even with PAP authentication the passwords are encrypted based around 
the RADIUS secret.

But you should be running your RADIUS traffic over a private network in 
any case, which makes the whole point mostly moot.


> but I cannot get "radtest -x -t mschap <user> <clear text password> localhost 0 testing123" working.
> 
> I get this is the server output:
> 
> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect

Yes, FreeRADIUS has not been given a password to authenticate against, 
hence the error.

> I tried using "{nthash}..." for the password after finding smbencrypt, but no joy.
> 
> How do I either pass in an NT Password or get FR to encrypt the Cleartext-Password given ?

Using mschap you

a) get the cleartext password to FreeRADIUS (impossible with Active 
Directory)

b) get the mschap hash to FreeRADIUS (impossible with Active Directory)

c) send the mschap challenge and response to AD and ask it to check for 
you (needs Samba)

d) forget mschap, use PAP so you have the cleartext password available 
in FreeRADIUS, and open up other options (such as bind to LDAP).

In any case, mschap is practically no safer than PAP, it was broken 
years ago. Given you said in another post you are authenticating switch 
users, I would hazard a guess that a lot of them can only do PAP anyway.

Using Active Directory _really_ limits your options here.

-- 
Matthew