Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
That worked. Thank you! Alan DeKok wrote: > Colleen C. Morrissey wrote: >> I don't have the clear text password. Your original reply said this >> would work with clear text password or nt hash. I have the NT hash >> and/or I can get the SHA1 base 64 encoded password (which was working >> with gtc by itself). Can I get pap/gtc to work with the NT hash password? >> I don't manage the ldap service so getting the clear text password will >> not be easy and may not be possible organizationally. Thanks. > > Hmm.. OK. > > In that case your best bet may be to grab the current code from CVS. > See the web page for how to do CVS logins, etc. Then, > > $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r > branch_1_1 -d freeradius-1.1.7pre radiusd > > And the "freeradius-1.1.7pre" directory will contain a version that > fixes the issue you're seeing in the mschap module. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Colleen C. Morrissey wrote: > I don't have the clear text password. Your original reply said this > would work with clear text password or nt hash. I have the NT hash > and/or I can get the SHA1 base 64 encoded password (which was working > with gtc by itself). Can I get pap/gtc to work with the NT hash password? > I don't manage the ldap service so getting the clear text password will > not be easy and may not be possible organizationally. Thanks. Hmm.. OK. In that case your best bet may be to grab the current code from CVS. See the web page for how to do CVS logins, etc. Then, $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 -d freeradius-1.1.7pre radiusd And the "freeradius-1.1.7pre" directory will contain a version that fixes the issue you're seeing in the mschap module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Colleen C. Morrissey wrote: > Hi, > > > >> Why? If you have the clear-text password on the server, you can just >> compare the two. There's no need to configure rlm_pap to do the NT hash. >> >> > > I don't have the clear text password. Your original reply said this > would work with clear text password or nt hash. I have the NT hash > and/or I can get the SHA1 base 64 encoded password (which was working > with gtc by itself). Can I get pap/gtc to work with the NT hash password? > I don't manage the ldap service so getting the clear text password will > not be easy and may not be possible organizationally. Thanks. > > > I know SHA1 will definitely work, as will NT but you will have to use the PAP module. The nt hash should be written into the check item NT-Password, I think sha is SHA-Password. If your using LDAP just enable auto header and it'll figure it out for you :) , if you do use NT password be sure the FreeRADIUS <-> LDAP nt hash password attribute mapping is correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Hi, > Why? If you have the clear-text password on the server, you can just > compare the two. There's no need to configure rlm_pap to do the NT hash. > I don't have the clear text password. Your original reply said this would work with clear text password or nt hash. I have the NT hash and/or I can get the SHA1 base 64 encoded password (which was working with gtc by itself). Can I get pap/gtc to work with the NT hash password? I don't manage the ldap service so getting the clear text password will not be easy and may not be possible organizationally. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Colleen C. Morrissey wrote: > I spoke too soon. This works ok for a user/password in users file, but > not via LDAP. Via ldap mschap works but not gtc. Below is snippet of > output when it is failing. Any advice on how to fix would be appreciated: > [EMAIL PROTECTED] raddb]# more gtc_info > modcall: entering group authenticate for request 502 >rlm_eap: Request found, released from the list >rlm_eap: EAP/gtc >rlm_eap: processing type gtc ... which sends the clear-text password to the server. >Processing the authenticate section of radiusd.conf > modcall: entering group PAP for request 502 > rlm_pap: login attempt with password blah > rlm_pap: Using NT encryption. Why? If you have the clear-text password on the server, you can just compare the two. There's no need to configure rlm_pap to do the NT hash. > radius_xlat: Running registered xlat function of module mschap for > string 'NT-Hash blah' >rlm_mschap: Unknown expansion string "NT-Hash blah" > radius_xlat: '' That's a bug which will be fixed in 1.1.7, but it shouldn't affect you... Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
I spoke too soon. This works ok for a user/password in users file, but not via LDAP. Via ldap mschap works but not gtc. Below is snippet of output when it is failing. Any advice on how to fix would be appreciated: [EMAIL PROTECTED] raddb]# more gtc_info modcall: entering group authenticate for request 502 rlm_eap: Request found, released from the list rlm_eap: EAP/gtc rlm_eap: processing type gtc Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 502 rlm_pap: login attempt with password blah rlm_pap: Using NT encryption. radius_xlat: Running registered xlat function of module mschap for string 'NT-Hash blah' rlm_mschap: Unknown expansion string "NT-Hash blah" radius_xlat: '' rlm_pap: mschap xlat failed rlm_pap: Passwords don't match Colleen C. Morrissey wrote: > Thanks! I had ldap returning Password-with-Header for GTC deployment > and then added NT-Password for ms-chapv2. Commenting out the > password-with-header for userpassword in ldap.attrmap seems to allow > both to work. Which makes my life much easier :) > > Alan Dekok wrote: >> Colleen C. Morrissey wrote: >>> My question is can I somehow support both simultaneously with the same >>> freeradius daemon (I know I can simply run a second daemon on different >>> port supporting the other but that will require me to do lots of work on >>> infrastructure/ssids to point to different servers)? Does anybody >>> happen to have this working and be willing to post config? Or any other >>> ideas? >> Yes. If you configure the server to know about the users clear-text >> password or NT-hashed password, then PEAP/GTC should "just work". >> >> Alan DeKok. >> -- >> http://deployingradius.com - The web site of the book >> http://deployingradius.com/blog/ - The blog >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Thanks! I had ldap returning Password-with-Header for GTC deployment and then added NT-Password for ms-chapv2. Commenting out the password-with-header for userpassword in ldap.attrmap seems to allow both to work. Which makes my life much easier :) Alan Dekok wrote: > Colleen C. Morrissey wrote: >> My question is can I somehow support both simultaneously with the same >> freeradius daemon (I know I can simply run a second daemon on different >> port supporting the other but that will require me to do lots of work on >> infrastructure/ssids to point to different servers)? Does anybody >> happen to have this working and be willing to post config? Or any other >> ideas? > > Yes. If you configure the server to know about the users clear-text > password or NT-hashed password, then PEAP/GTC should "just work". > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Colleen C. Morrissey wrote: > My question is can I somehow support both simultaneously with the same > freeradius daemon (I know I can simply run a second daemon on different > port supporting the other but that will require me to do lots of work on > infrastructure/ssids to point to different servers)? Does anybody > happen to have this working and be willing to post config? Or any other > ideas? Yes. If you configure the server to know about the users clear-text password or NT-hashed password, then PEAP/GTC should "just work". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Hi, I am running version 1.1.6 and have had a successful 802.1x/PEAP-GTC deployment for 3+ years. With Vista it looks like I have to move to 802.1x/PEAP-MSCHAPv2 - can not find peap-gtc supplicant. I was able to get 802.1x/PEAP-MSCHAPv2 working. My question is can I somehow support both simultaneously with the same freeradius daemon (I know I can simply run a second daemon on different port supporting the other but that will require me to do lots of work on infrastructure/ssids to point to different servers)? Does anybody happen to have this working and be willing to post config? Or any other ideas? Thank you for your time. Colleen Morrissey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html