RHEL 8, FreeRADIUS. LDAP, and Active Directory
Matthew Newton
mcn at freeradius.org
Mon Jun 6 17:03:06 UTC 2022
On 06/06/2022 16:54, White, Daniel E. (GSFC-770.0)[AEGIS] via
Freeradius-Users wrote:
> I am closer, but not quite there.
>
> I got "radtest -x <user> <clear text password> localhost 0 testing123" to work.
>
> I do not want passwords spewing over the network in cleartext,
They won't be going over the network in cleartext.
Even with PAP authentication the passwords are encrypted based around
the RADIUS secret.
But you should be running your RADIUS traffic over a private network in
any case, which makes the whole point mostly moot.
> but I cannot get "radtest -x -t mschap <user> <clear text password> localhost 0 testing123" working.
>
> I get this is the server output:
>
> (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
Yes, FreeRADIUS has not been given a password to authenticate against,
hence the error.
> I tried using "{nthash}..." for the password after finding smbencrypt, but no joy.
>
> How do I either pass in an NT Password or get FR to encrypt the Cleartext-Password given ?
Using mschap you
a) get the cleartext password to FreeRADIUS (impossible with Active
Directory)
b) get the mschap hash to FreeRADIUS (impossible with Active Directory)
c) send the mschap challenge and response to AD and ask it to check for
you (needs Samba)
d) forget mschap, use PAP so you have the cleartext password available
in FreeRADIUS, and open up other options (such as bind to LDAP).
In any case, mschap is practically no safer than PAP, it was broken
years ago. Given you said in another post you are authenticating switch
users, I would hazard a guess that a lot of them can only do PAP anyway.
Using Active Directory _really_ limits your options here.
--
Matthew
More information about the Freeradius-Users
mailing list