Hi Stephen,
I'm a newbie at RADIUS-LDAP and also attempting implementation at this time
however I think I can help a bit.
First, LDAP doesn't do authentication on passwords and the like it just
provides the user details upon request from a calling application that's got
the right permissions. A RADIUS service would be one such caller.
Two, there's no such thing as a MS-CHAP password. You can't store, in your
LDAP directory, the ms-chap challenge response as a so called password. I
believe the challenge response changes all the time. In anycase the
rlm_mschap authenticate function requires pukka LM or NT password hashes to
function correctly.
If you are going to use ms-chap exclusively then one method would be for you
add the LM and/or NT passwords to your LDAP user records as well as the
auth-type = MS-CHAP. The rlm_ldap authorize function requests and stores
these details from the LDAP server in preparation for the authentication.
Creation of LM & NT passwords from plain text is easy enough, there's tool
that comes with FreeRADIUS "smbencrypt" for this purpose.
Alternatively, since you already have plain text passwords in your LDAP user
records you can let the the authorization function of the rlm_mschap module
create the LM & NT passwords on the fly as well as setting the auth-type to
ms-chap. (The passwords are only transitory and re-created every time the
user signs in) For this to work you need to enable "password_attribute =
userPassword" in the ldap config section of your config file, also, in the
authorize order of execution section, see that both ldap & mschap are listed
with ldap running *before* mschap.
The first method, with NT & LM passwords in the LDAP user records has
worked fine for me. The second method, which I want to implement, I've just
tested with success and have copied the debug printout below.
I hope the above helps.
Regards Mike D.
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:1028, id=61, length=133
NAS-IP-Address = 10.3.1.82
NAS-Port = 65
NAS-Port-Type = Async
User-Name = "michael"
MS-CHAP-Challenge = 0x0bdbd77a69336389
MS-CHAP-Response =
0x0d01000000000000000000000000000000000000000000000000af66a783a3264165017dec
68ccb2fd6736b3565d862cc8aa
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
rlm_realm: No '@' in User-Name = "michael", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched DEFAULT at 183
modcall[authorize]: module "files" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for michael
radius_xlat: '(uid=michael)'
radius_xlat: 'dc=BBD'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=BBD, with filter (uid=michael)
rlm_ldap: checking if remote access for michael is allowed by dialupAccess
rlm_ldap: Added password ******** in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: user michael authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authtype
rlm_mschap: doing MS-CHAPv1 with NT-Password
modcall[authenticate]: module "mschap" returns ok
modcall: group authtype returns ok
Sending Access-Accept of id 61 to 127.0.0.1:1028
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 61 with timestamp 3e7cfb8b
Nothing to do. Sleeping until we see a request.
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] Behalf Of Stephen A.
>Moore
>Sent: Friday, March 21, 2003 5:02 PM
>To: [EMAIL PROTECTED]
>Subject: Auth MS-CHAP against LDAP
>
>
>I am working on a project to provide a secure wireless network using VPN's
>for encryption and authentication.
>
>All users of the network are already registered on a central LDAP
>database.
>The problem currently encountered is that passwords must be sent using
>MS-CHAP to an LDAP server (via freeRADIUS) storing plain text
>passwords. My
>understand of the LDAP configuration is that a password cannot be
>'retrieved' from LDAP and instead a supplied password can only be compared
>to that which is stored. To get around this we have created an extra
>attribute in the LDAP database in which an MS-CHAP encrypted
>version of the
>users password is stored. This should allow MS-CHAP to MS-CHAP comparison
>however it doesn't appear to be working.
>
>The ldap.attrib file has been changed to map NT-Password to point to the
>gecos field (where the MS-CHAP password is stored). I am running
>freeRADIUS
>0.8.1 on RedHat Linux 7.3. freeRADIUS itself is running fine and will
>authenticate PAP against the LDAP database so I know that the
>freeRADIUS to
>LDAP communication is fine.
>
>A copy of the LDAP module from radiusd.conf is shown here:
>
>ldap {
> server = "xxx"
> port = 389
> basedn = "o=uol"
> filter =
>"(&(objectClass=User)(cn=%{Stripped-User-Name:-%{User-Name}})(loginDisabled
>=FALSE))"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_attribute = "NT-Password"
> timeout = 4
> timelimit = 3
> net_timeout = 1
>}
>
>Also the authorize and authentication sections are also as follows:
>
>authorize {
> preprocess
> ldap
>}
>
>
>authenticate {
> authtype MS-CHAP {
> mschap
> }
>}
>
>and finally to test this I am using the Microsoft Windows 2000 VPN client,
>set to send MS-CHAP passwords to the radius server. The debug output from
>freeRADIUS is as follows:
>
>Ready to process requests.
>rad_recv: Access-Request packet from host 127.0.0.1:32804, id=140,
>length=126
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "testuser"
> MS-CHAP-Challenge = 0x55f62411fc71c9c1
> MS-CHAP-Response =
>0x010100000000000000000000000000000000000000000000000
>0442ccd457fa62aeb0191c5762fee6cecd8bde7f16e5e00b3
> NAS-IP-Address = x.x.x.x
> NAS-Port = 0
>modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for dtyson
>radius_xlat: '(&(objectClass=User)(cn=testuser)(loginDisabled=FALSE))'
>radius_xlat: 'o=uol'
>ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to xxx:389, authentication 0
>rlm_ldap: bind as / to xxx:389
>rlm_ldap: waiting for bind result ...
>rlm_ldap: performing search in o=uol, with filter
>(&(objectClass=User)(cn=testuser
>)(loginDisabled=FALSE))
>rlm_ldap: looking for check items in directory...
>rlm_ldap: Adding gecos as NT-Password, value
>937958CFCA106B3CDAE1645D3377E078 &
>op=21
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: user testuser authorized to use remote access
>ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok
>modcall: group authorize returns ok
> rad_check_password: Found Auth-Type LDAP
>auth: type "LDAP"
>auth: Failed to validate the user.
>Login incorrect: [testuser/<no User-Password attribute>] (from client
>localhost po
>rt 0)
>Delaying request 0 for 1 seconds
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 140 to 127.0.0.1:32804
>Waking up in 4 seconds...
>--- Walking the entire request list ---
>Cleaning up request 0 ID 140 with timestamp 3e7ad9e9
>Nothing to do. Sleeping until we see a request.
>
>Thanks in advance,
>
>Stephen A. Moore
>PC & Network Support Engineer
>Computing Services Department
>The University of Liverpool
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
