[EMAIL PROTECTED] wrote:
Hi,
I am really stuck :-(
Let me try to explain what I inted to do:
1.) PAP is just the clear-text password???
-> I thought pap is hashing the password with a challenge (MD-5). This
means the client is then transmitting this Hash to the radius, which
might hold the password in cleartext or as a MD-5-Hash as well. Either
comparing the Hashes or the passwords
No.
So I want to the server to hold a crypted Password (MD-5) for PAP, but
retrieving that from the ldap server.
In fact, that wouldn't even work if you where correct, as for encrypting
password you typically add a random seed before hashing, so if you build
two password hashes, they are different even for the same password (to
avoid "replay attacks" in whatever flavour).
2.) I do not want to do any binding to the ldap for authentication!
I just want to retrieve the information from the ldap, but then
authenticate only by the radius itself!!
Gettig the plaintext password from the LDAP server should FreeRadius allow
to always work.
Some more details on the protocols, if you are interested:
PAP: The RADIUS client takes the password and XORs it with a hash value
obtained from the RADIUS secret that the client shares with the server and
transmits the "encrypted" password. The server does the same computation
and obtains the cleartext password. If it knows the cleartext password from
your LDAP-Server it checks it and is done, if it knows a hash value from
your LDAP-Server, it computes the hash value of the password it obtained
from the client and compares the hash values.
CHAP: During the authentication process, the machine trying to authenticate
gets a challenge and responds to it, based on the cleartext password. The
RADIUS client (i.e. the NAS) takes CHAP challenge and CHAP response and sends
both of them to the RADIUS server. The server takes the cleartext password
and checks that the given response is correct for the given challenge. If the
server cannot get the cleartext password is cannot verify the CHAP data.
MS-CHAP: Essentially the same with an initially somewhat less secure method
for computing responses to challenges (probably to conform with US export
laws of that time), meanwhile "updated" to use a reasonable protocol (if you
use NT-Response and not the old LM-Response). Mostly interesting because it
also computes/distributes session keys based on username and password.
Note that if an attacker can guess (or brute-force) the password, he also
obtains the communication keys, so this encryption is only worth mentioning,
if you put your users under strict password policies (i.e. use complicated
passwords, change them often and don't write them down). :-(
Note that contrary to CHAP, where you do need the cleartext password to verify
the response for the challenge, there's an intermediate result ("LM-Password"
or "NT-Password" depending on whether you're using NT-Response or LM-Response
mentioned above) which is sufficient to check the correctness of the response
(OTOH, it's also sufficient to steal said intermediate result to convince NAS
and RADIUS server to give you access, so if your server isn't secure, it
doesn't help if you only stored those intermediate results instead of the
cleartext passwords).
Regards,
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hm,
thanks to Stefan. As I now see I had some lacks of kowledge and I did
not express myself exactly.
But I still have the Problem of LDAP-Authentication!?!
Why is the radius always trying to do ldap-authentication, even if it
receives only a pap-request?
Thanks
Florian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
