freeradius 3.2.1 on debian 12.9 + LDAP

Alan DeKok aland at deployingradius.com
Fri Mar 7 12:46:54 UTC 2025 

On Mar 7, 2025, at 6:50 AM, Dariusz Bloch via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I've got LDAP users, with Samba passwords(amongst other attributes) as sambaNTPassword <http://ldap.telbridge/ldapadmin/cmd.php?cmd=schema&server_id=1&view=attributes&viewvalue=sambantpassword>, and try to authenticate users (windows10,11) to access LAN through AccessPoint(192.168.176.5) using those passwords since radius and ldap do not work good together.

  RADIUS and LDAP do work together.  What doesn't work as easily is Active Directory.

> According to table, windows default mschap(or mschapv2) works only with ntlm_auth(obviously i dont want do store passwords as cleartext in ldap)

  If you run MS-CHAP, then passwords ARE stored in clear-text in LDAP.   You could argue that they're stored as "NT Hash", but it's 2025.  MD4 has been broken for decades.  It takes someone with ~100G of disk space a few milliseconds to convert the NT Hash to the original password.

  If people tell you that MS-CHAP is more secure because "it doesn't send passwords in clear-text", they're either incompetent or lying.  PAP is pretty much always better than CHAP or MS-CHAP.

  See https://networkradius.com/articles/2022/04/01/pap-vs-chap.html  That's for CHAP, but the same arguments apply to MS-CHAP.

  Or see https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-05#section-8.7  That will become an RFC later this year.

> so im trying to use samba pass as those are stored as some hashes.

  That's only safe if the passwords are stored as salted hashes, not as NT hash.

> I should mention that my config work if passwords in ldap are cleartext,

  You shouldn't store passwords in LDAP in cleartext.  You should store them salted, e.g. PBKDF2.  Then, use PAP.

> Could anybody check my debug below with any suggestions with fixes?

  Let's see...

> (7) ldap: Processing user attributes
> (7) ldap: control:Password-With-Header += '{SSHA}mrGmyTnxVsEdQ5eOtNfMghb4eqCV8pDF'
> (7) ldap: control:Cleartext-Password += '{SSHA}mrGmyTnxVsEdQ5eOtNfMghb4eqCV8pDF'

   Ok, those passwords are salted, which is good.  But why are you adding the salted hash as the clear-text password?  Just add it as Password-With-Header, and the server will do the right thing.

> (7) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &control:Password-With-Header

  This message indicates that something could be wrong.

   i.e. you're adding a "known good" password twice.  This is likely not what you want to do.

> ...
> (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
> (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (7) mschap:    --> --username=dbloch3
> (7) mschap: Creating challenge hash with username: dbloch3
> (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (7) mschap:    --> --challenge=9acea959342abf86
> (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (7) mschap:    --> --nt-response=07a49c0565f4376624d86213c14b8445240d90a5ffd7ab78
> (7) mschap: ERROR: Program returned code (1) and output 'No logon servers are currently available to service the logon request. (0xc000005e)'
> (7) mschap: ERROR: No logon servers are currently available to service the logon request. (0xc000005e)

  That seems pretty clear.

  Alan DeKok.

More information about the Freeradius-Users mailing list