Re[2]: MS-CHAP not working
Dear Frank Keeney, It's most likely to be a problem of either MD4 or SHA1. Can you send result for 'smbencrypt' for any known password? --Wednesday, February 12, 2003, 6:06:18 PM, you wrote to [EMAIL PROTECTED]: FK> Problem number two appears to be the Linux platform we used. MS-CHAP will FK> not work under any condition on our Alpha CPU platforms running FK> Debian. Our Intel Debian platforms MS-CHAP works fine. FK> On Fri, 7 Feb 2003, Frank Keeney wrote: >> Looks like we had two problems. You are correct, we kept typing in the >> wrong password. MS-CHAP is working now but on a test server with a clean >> install. >> >> We're busy comparing the two server's configs to find out what was wrong. >> FK> - FK> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Äà, åìó ÷åðòîâñêè ïîâåçëî. Ýõ è ïàðøèâî á åìó ïðèøëîñü åñëè áû îí âûæèë! (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: MS-CHAP
Dear 3APA3A, Apologies if I am being a bit dim here! Does this mean that I can authenticate MSCHAP against a remote SMB server (using rlm_smb), and authorise them using, for example, an DBMS? I take it that rlm_smb will not provide MPPE keys, only rlm_mschap? thanks josh. On Wed, 2002-11-27 at 15:52, 3APA3A wrote: > Dear Josh Howlett, > > No. rlm_smb is authentication module, not authorization one. You can use > either rlm_mschap or rlm_smb. > > --Wednesday, November 27, 2002, 6:46:43 PM, you wrote to [EMAIL PROTECTED]: > > JH> Does that include rlm_smb? > > JH> thanks, josh. > > JH> On Wed, 2002-11-27 at 15:34, 3APA3A wrote: > >> Dear Josh Howlett, > >> > >> You can use mschap authentication module in conjunction with any > >> authorization module (for example sql or dbm). All you need is cleartext > >> or NT-crypted password to be accessable. So you can use almost any DBMS > >> (Oracle, MySQL, PostgreSQL, MS SQL, DB2, Sybase, etc), LDAP, text > >> password file format, DBM file format, and users file. > >> > >> --Wednesday, November 27, 2002, 5:21:26 PM, you wrote to >[EMAIL PROTECTED]: > >> > >> JH> Hi, > >> > >> JH> What can Freeradius use to authenticate MS-CHAP against? I know of the > >> JH> following methods: > >> JH> - the 'users' file > >> JH> - /etc/smbpasswd > >> JH> - LDAP directory > >> JH> - proxy to another RADIUS server > >> > >> JH> Are there any others? > >> > >> JH> thanks, josh. > >> > >> > >> > >> -- > >> ~/ZARAZA > >> Ms ` b veknl, Shk|l, gdexmhi jkhl`r - efekh rnk|jn > >> }rn lnfmn m`gb`r| jkhl`rnl, bonkme qmnqm{i. (Rbem) > >> > > > -- > ~/ZARAZA > Ohxhre eye. H eqkh b b`xei oerhvhh hlekq j`jni-mhasd| > ql{qk, rn, me qreqmq|, p`gzqmhre b wel dekn. (Rbem) > -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: MS-CHAP
Dear Josh Howlett, No. rlm_smb is authentication module, not authorization one. You can use either rlm_mschap or rlm_smb. --Wednesday, November 27, 2002, 6:46:43 PM, you wrote to [EMAIL PROTECTED]: JH> Does that include rlm_smb? JH> thanks, josh. JH> On Wed, 2002-11-27 at 15:34, 3APA3A wrote: >> Dear Josh Howlett, >> >> You can use mschap authentication module in conjunction with any >> authorization module (for example sql or dbm). All you need is cleartext >> or NT-crypted password to be accessable. So you can use almost any DBMS >> (Oracle, MySQL, PostgreSQL, MS SQL, DB2, Sybase, etc), LDAP, text >> password file format, DBM file format, and users file. >> >> --Wednesday, November 27, 2002, 5:21:26 PM, you wrote to >[EMAIL PROTECTED]: >> >> JH> Hi, >> >> JH> What can Freeradius use to authenticate MS-CHAP against? I know of the >> JH> following methods: >> JH> - the 'users' file >> JH> - /etc/smbpasswd >> JH> - LDAP directory >> JH> - proxy to another RADIUS server >> >> JH> Are there any others? >> >> JH> thanks, josh. >> >> >> >> -- >> ~/ZARAZA >> Ms ` b veknl, Shk|l, gdexmhi jkhl`r - efekh rnk|jn >> }rn lnfmn m`gb`r| jkhl`rnl, bonkme qmnqm{i. (Rbem) >> -- ~/ZARAZA Ïèøèòå åùå. È åñëè â âàøåé ïåòèöèè èìåëñÿ êàêîé-íèáóäü ñìûñë, òî, íå ñòåñíÿÿñü, ðàçúÿñíèòå â ÷åì äåëî. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: MS-CHAP and LDAP
[EMAIL PROTECTED] wrote: > Do you know whether there is a possibility to retrieve the W2k-passwords > via ldap at all? I don't see why not. They're just more pieces of data to sling around. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: MS-CHAP and LDAP
Dear 3APA3A, >> Is there any way to retrieve LDAP-stored passwords (i.e. in a >> W2k-domain controller) and use them inMS-CHAP >> authentication/authorization? KK> In general, yes. There is support for LM-Password and NT-Password in the KK> ldap.attrmap file, so you should probably be ok. Just make sure they map to the KK> correct ldap attributes and read doc/rlm_mschap. 3APA3A> These attributes are for SAMBA LDAP. Win2K AD doesn't store hashes in 3APA3A> LDAP, at least as lmPassword/ntPassword. I guess thats the reason why my attempts to use LDAP and MS-CHAP in combination have failed. (Believe me, I read the doc-files more than once). Do you know whether there is a possibility to retrieve the W2k-passwords via ldap at all? Or is that another case of MS-special solution? Regards, Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: MS-CHAP and LDAP
Dear Kostas Kalevras, --Tuesday, September 10, 2002, 6:45:09 PM, you wrote to [EMAIL PROTECTED]: >> Is there any way to retrieve LDAP-stored passwords (i.e. in a >> W2k-domain controller) and use them inMS-CHAP >> authentication/authorization? KK> In general, yes. There is support for LM-Password and NT-Password in the KK> ldap.attrmap file, so you should probably be ok. Just make sure they map to the KK> correct ldap attributes and read doc/rlm_mschap. These attributes are for SAMBA LDAP. Win2K AD doesn't store hashes in LDAP, at least as lmPassword/ntPassword. -- ~/ZARAZA Ìàøèíà îêàçàëàñü ñïîñîáíîé ê åäèíñòâåííîìó äåéñòâèþ, à èìåííî óìíîæåíèþ 2x2, äà è òî ïðè ýòîì îøèáàÿñü. (Ëåì) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: MS-CHAP nt-lnPasswords on LDAP, 3APA3A
>as far as I can see op=11 is T_OP_EQ (=) token. You should use >T_OP_SET>(:=) roken instead.>Instead of configuring NT-Password and LM-Password for user you >add>these attributes to RADIUS reply. Gee??? What are you talking about. I must haved missed some essentials? Where can i find informations about that? Where can i conofigure that.? ???
Re[2]: MS-CHAP nt-lnPasswords on LDAP
Dear Andreas Grote, --Saturday, April 27, 2002, 1:51:19 PM, you wrote to [EMAIL PROTECTED]: AG> 57D583AA46D571502AAD4BB7AEA09C70 & op=11 AG> rlm_ldap: Adding lmPassword as LM-Password, value AG> 22124EA690B83BFBAAD3B435B51404EE & op=11 as far as I can see op=11 is T_OP_EQ (=) token. You should use T_OP_SET (:=) roken instead. Instead of configuring NT-Password and LM-Password for user you add these attributes to RADIUS reply. -- ~/ZARAZA Ïèøèòå åùå. È åñëè â âàøåé ïåòèöèè èìåëñÿ êàêîé-íèáóäü ñìûñë, òî, íå ñòåñíÿÿñü, ðàçúÿñíèòå â ÷åì äåëî. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: MS-CHAP nt-lnPasswords on LDAP
Dear Alan DeKok, For example you may want to allow your users to use PAP, CHAP and MS-CHAP. In this case you will store cleartext password. Somehow during authorization it should be decided either to use local, chap or ms-chap authentication. In case of ms_chap cleartext password should be changed to NT-Password or LM-Password and if we have LM-Password or NT-Password we can use MS-CHAP as an Auth-Type. This is exactly what rlm_mschap does for authorize(). If you needn't PAP/CHAP you should store LM and NT passwords and always use Auth-Type MS-CHAP. You needn't rlm_mschap in authorize {} in this case. I believe obtaining LM-Password and NT-Password is a part of authorization, not authentication process. But if required I can move it to authenticate(). --Friday,April26,2002,6:12:25PM,you wrote to [EMAIL PROTECTED]: AD> 3APA3A <[EMAIL PROTECTED]> wrote: >> mschap in authorize is only required if you store cleartext >> password, in this case it produces NT/LM hashes from cleartext. AD> That work can be done in the 'authenticate' code, can't it? I don't AD> see why it's required to be in the 'authorize' section. AD> Alan DeKok. AD> - AD> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Íó à â öåëîì, Óèëüÿì, çäåøíèé êëèìàò - åæåëè òîëüêî ýòî ìîæíî íàçâàòü êëèìàòîì, âïîëíå ñíîñíûé. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html