Re[2]: MS-CHAP not working

[3APA3A]

Dear Frank Keeney,

It's most likely to be a problem of either MD4 or SHA1.

Can you send result for 'smbencrypt' for any known password?

--Wednesday, February 12, 2003, 6:06:18 PM, you wrote to 
[EMAIL PROTECTED]:


FK> Problem number two appears to be the Linux platform we used. MS-CHAP will
FK> not work under any condition on our Alpha CPU platforms running
FK> Debian. Our Intel Debian platforms MS-CHAP works fine.

FK> On Fri, 7 Feb 2003, Frank Keeney wrote:

>> Looks like we had two problems. You are correct, we kept typing in the
>> wrong password. MS-CHAP is working now but on a test server with a clean
>> install.
>> 
>> We're busy comparing the two server's configs to find out what was wrong.
>> 


FK> - 
FK> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Äà, åìó ÷åðòîâñêè ïîâåçëî. Ýõ è ïàðøèâî á åìó ïðèøëîñü åñëè áû îí âûæèë! (Òâåí)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[2]: MS-CHAP

[Josh Howlett]

Dear 3APA3A,

Apologies if I am being a bit dim here!

Does this mean that I can authenticate MSCHAP against a remote SMB
server (using rlm_smb), and authorise them using, for example, an DBMS?

I take it that rlm_smb will not provide MPPE keys, only rlm_mschap?

thanks josh.

On Wed, 2002-11-27 at 15:52, 3APA3A wrote:
> Dear Josh Howlett,
> 
> No. rlm_smb is authentication module, not authorization one. You can use
> either rlm_mschap or rlm_smb.
> 
> --Wednesday, November 27, 2002, 6:46:43 PM, you wrote to [EMAIL PROTECTED]:
> 
> JH> Does that include rlm_smb?
> 
> JH> thanks, josh.
> 
> JH> On Wed, 2002-11-27 at 15:34, 3APA3A wrote:
> >> Dear Josh Howlett,
> >> 
> >> You  can  use  mschap  authentication  module  in  conjunction  with any
> >> authorization module (for example sql or dbm). All you need is cleartext
> >> or  NT-crypted password to be accessable. So you can use almost any DBMS
> >> (Oracle,  MySQL,  PostgreSQL,  MS  SQL,  DB2,  Sybase,  etc), LDAP, text
> >> password file format, DBM file format, and users file.
> >> 
> >> --Wednesday, November 27, 2002, 5:21:26 PM, you wrote to 
>[EMAIL PROTECTED]:
> >> 
> >> JH> Hi,
> >> 
> >> JH> What can Freeradius use to authenticate MS-CHAP against?  I know of the
> >> JH> following methods:
> >> JH>  - the 'users' file
> >> JH>  - /etc/smbpasswd
> >> JH>  - LDAP directory
> >> JH>  - proxy to another RADIUS server
> >> 
> >> JH> Are there any others?
> >> 
> >> JH> thanks, josh.
> >> 
> >> 
> >> 
> >> -- 
> >> ~/ZARAZA
> >> Ms ` b veknl, Shk|l, gdexmhi jkhl`r - efekh rnk|jn
> >> }rn lnfmn m`gb`r| jkhl`rnl, bonkme qmnqm{i. (Rbem)
> >> 
> 
> 
> -- 
> ~/ZARAZA
> Ohxhre eye. H eqkh b b`xei oerhvhh hlekq j`jni-mhasd|
> ql{qk, rn, me qreqmq|, p`gzqmhre b wel dekn. (Rbem)
> 
-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]

---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: MS-CHAP

[3APA3A]

Dear Josh Howlett,

No. rlm_smb is authentication module, not authorization one. You can use
either rlm_mschap or rlm_smb.

--Wednesday, November 27, 2002, 6:46:43 PM, you wrote to [EMAIL PROTECTED]:

JH> Does that include rlm_smb?

JH> thanks, josh.

JH> On Wed, 2002-11-27 at 15:34, 3APA3A wrote:
>> Dear Josh Howlett,
>> 
>> You  can  use  mschap  authentication  module  in  conjunction  with any
>> authorization module (for example sql or dbm). All you need is cleartext
>> or  NT-crypted password to be accessable. So you can use almost any DBMS
>> (Oracle,  MySQL,  PostgreSQL,  MS  SQL,  DB2,  Sybase,  etc), LDAP, text
>> password file format, DBM file format, and users file.
>> 
>> --Wednesday, November 27, 2002, 5:21:26 PM, you wrote to 
>[EMAIL PROTECTED]:
>> 
>> JH> Hi,
>> 
>> JH> What can Freeradius use to authenticate MS-CHAP against?  I know of the
>> JH> following methods:
>> JH>  - the 'users' file
>> JH>  - /etc/smbpasswd
>> JH>  - LDAP directory
>> JH>  - proxy to another RADIUS server
>> 
>> JH> Are there any others?
>> 
>> JH> thanks, josh.
>> 
>> 
>> 
>> -- 
>> ~/ZARAZA
>> Ms ` b veknl, Shk|l, gdexmhi jkhl`r - efekh rnk|jn
>> }rn lnfmn m`gb`r| jkhl`rnl, bonkme qmnqm{i. (Rbem)
>> 


-- 
~/ZARAZA
Ïèøèòå åùå. È åñëè â âàøåé ïåòèöèè èìåëñÿ êàêîé-íèáóäü
ñìûñë, òî, íå ñòåñíÿÿñü, ðàçúÿñíèòå â ÷åì äåëî. (Òâåí)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[2]: MS-CHAP and LDAP

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> Do you know whether there is a possibility to retrieve the W2k-passwords
> via ldap at all?

  I don't see why not.  They're just more pieces of data to sling
around.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: MS-CHAP and LDAP

[Martin_Deutscher]

Dear 3APA3A,

>> Is  there  any  way  to  retrieve  LDAP-stored  passwords  (i.e. in a
>> W2k-domain controller) and use them inMS-CHAP
>> authentication/authorization?

KK> In general, yes. There is support for LM-Password and NT-Password in
the
KK> ldap.attrmap file, so you should probably be ok. Just make sure they
map to the
KK> correct ldap attributes and read doc/rlm_mschap.

3APA3A> These  attributes  are  for SAMBA LDAP. Win2K AD doesn't store
hashes in
3APA3A> LDAP, at least as lmPassword/ntPassword.

I guess thats the reason why my attempts to use LDAP and MS-CHAP in
combination have failed.
(Believe me, I read the doc-files more than once).
Do you know whether there is a possibility to retrieve the W2k-passwords
via ldap at all?
Or is that another case of MS-special solution?

Regards,

Martin


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: MS-CHAP and LDAP

[3APA3A]

Dear Kostas Kalevras,



--Tuesday, September 10, 2002, 6:45:09 PM, you wrote to 
[EMAIL PROTECTED]:

>> Is  there  any  way  to  retrieve  LDAP-stored  passwords  (i.e. in a
>> W2k-domain controller) and use them inMS-CHAP
>> authentication/authorization?

KK> In general, yes. There is support for LM-Password and NT-Password in the
KK> ldap.attrmap file, so you should probably be ok. Just make sure they map to the
KK> correct ldap attributes and read doc/rlm_mschap.

These  attributes  are  for SAMBA LDAP. Win2K AD doesn't store hashes in
LDAP, at least as lmPassword/ntPassword.

-- 
~/ZARAZA
Ìàøèíà îêàçàëàñü ñïîñîáíîé ê åäèíñòâåííîìó äåéñòâèþ,
à èìåííî óìíîæåíèþ 2x2, äà è òî ïðè ýòîì îøèáàÿñü. (Ëåì)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: MS-CHAP nt-lnPasswords on LDAP, 3APA3A

[Andreas Grote]

>as  far as I can see op=11 is T_OP_EQ (=) token. You should use 
>T_OP_SET>(:=) roken instead.>Instead  of  
configuring  NT-Password  and  LM-Password for user you 
>add>these attributes to RADIUS reply.
 
 
Gee???
 
What are you talking about. I must haved missed 
some essentials?
Where can i find informations about 
that?
Where can i conofigure that.?
???

 
 

Re[2]: MS-CHAP nt-lnPasswords on LDAP

[3APA3A]

Dear Andreas Grote,

--Saturday, April 27, 2002, 1:51:19 PM, you wrote to [EMAIL PROTECTED]:

AG> 57D583AA46D571502AAD4BB7AEA09C70 & op=11
AG> rlm_ldap: Adding lmPassword as LM-Password, value
AG> 22124EA690B83BFBAAD3B435B51404EE & op=11

as  far as I can see op=11 is T_OP_EQ (=) token. You should use T_OP_SET
(:=) roken instead.

Instead  of  configuring  NT-Password  and  LM-Password for user you add
these attributes to RADIUS reply.



-- 
~/ZARAZA
Ïèøèòå åùå. È åñëè â âàøåé ïåòèöèè èìåëñÿ êàêîé-íèáóäü
ñìûñë, òî, íå ñòåñíÿÿñü, ðàçúÿñíèòå â ÷åì äåëî. (Òâåí)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: MS-CHAP nt-lnPasswords on LDAP

[3APA3A]

Dear Alan DeKok,

For  example  you  may  want  to  allow  your users to use PAP, CHAP and
MS-CHAP.  In this case you will store cleartext password. Somehow during
authorization  it should be decided either to use local, chap or ms-chap
authentication.  In case of ms_chap cleartext password should be changed
to  NT-Password or LM-Password and if we have LM-Password or NT-Password
we can use MS-CHAP as an Auth-Type. This is exactly what rlm_mschap does
for authorize().

If  you needn't PAP/CHAP you should store LM and NT passwords and always
use  Auth-Type  MS-CHAP.  You needn't rlm_mschap in authorize {} in this
case.

I   believe   obtaining   LM-Password  and  NT-Password  is  a  part  of
authorization, not authentication process. But if required I can move it
to authenticate().

--Friday,April26,2002,6:12:25PM,you   wrote   to
[EMAIL PROTECTED]:

AD> 3APA3A <[EMAIL PROTECTED]> wrote:
>>  mschap  in  authorize  is  only  required  if you store cleartext
>> password, in this case it produces NT/LM hashes from cleartext.

AD>   That work can be done in the 'authenticate' code, can't it?  I don't
AD> see why it's required to be in the 'authorize' section.

AD>   Alan DeKok.

AD> - 
AD> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Íó à â öåëîì, Óèëüÿì, çäåøíèé êëèìàò - åæåëè òîëüêî
ýòî ìîæíî íàçâàòü êëèìàòîì, âïîëíå ñíîñíûé. (Òâåí)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html