Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
On 21/09/11 03:11, Christ Schlacta wrote: Very true, thank you for pointing that out as well. Note to anyone following: If you use a certificate signed by a general authority (verisign for example) then anyone with a verisign cert will be trusted in your place, and able to authenticate your users, IE as a man in the middle. They'll have access to the un-encrypted password payload (NT, cleartext), which is a severe security compromise. That's why you (should) always use an internal Certificate Authority, where you control which certs are signed and distributed. This is only minimally correct, IMO. Many EAP clients will, in addition to trusting the cert, record the CN of the cert on first connect. Some can even be pre-configured with the CA cert CN to expect (google su1x). So someone would have to: 1. Get a cert from the same CA 2. With the same CN Assuming you get a cert from a reliable CA (and not one who, say, can get tricked by some horrible authoritarian government into giving them a wildcard cert...) this is much harder. You are correct that, in an ideal world, using a private CA would be the easy go-to option. However, with the notable exception of MacOS X and iOS (which have sensible first use confirmation GUI), it's a massive pain deploying private CA. It's entirely understandable that people make the cost/benefit evaluation and come down in favour of a public CA. All this could have been avoided if X.509 wasn't broken by design of course, but that's a topic for another forum ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
uselessidbr wrote: People, i've read a lot about the WIFI/AP authentication over Freeradius using LDAP but it seems i cannot make it work unless i use clear-text password or Nt/Lmpassword which as far as i know implies in Samba + LDAP integration. http://deployingradius.com/documents/protocols/compatibility.html Note it doesn't mention Samba. NT-Passwords are a password *format*. They can be stored anywhere. My question is, is that really the only way to make freeradius authenticate users using a LDAP database? Do i need to have samba + ldap to authenticate WIFI users using freeradius + LDAP with EAP-MSCHAPv2? No. You need cleartext passwords, or NT passwords. Where they are stored is a completely separate question. With my current configuration i was able to authenticate LDAP users with clear-text password but thats not i really want as a WIFI authentication solution. My goal is to use freeradius to authenticate WIFI users using a LDAP database and without the need of use a non-native Windows application. You can do that. Only if you use the correct password format. Here goes my debug using a encrypted user password (which fails): It fails because you didn't tell the server what the correct password was. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Christ Schlacta wrote: I thought if you had a certificate signed by a trusted root CA, you were good and didn't need to install anything on the client. It's true that you don't need to install anything on the client. It's *not* true that it's a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Hello. Thanks for the answers. I got no AD integrated with LDAP. Is there any way i can convert an LDAP MD5/SHA hash to a NT hash password? Thanks! Alan DeKok al...@deployingradius.com escreveu: uselessidbr wrote: People, i've read a lot about the WIFI/AP authentication over Freeradius using LDAP but it seems i cannot make it work unless i use clear-text password or Nt/Lmpassword which as far as i know implies in Samba + LDAP integration. http://deployingradius.com/documents/protocols/compatibility.html Note it doesn't mention Samba. NT-Passwords are a password *format*. They can be stored anywhere. My question is, is that really the only way to make freeradius authenticate users using a LDAP database? Do i need to have samba + ldap to authenticate WIFI users using freeradius + LDAP with EAP-MSCHAPv2? No. You need cleartext passwords, or NT passwords. Where they are stored is a completely separate question. With my current configuration i was able to authenticate LDAP users with clear-text password but thats not i really want as a WIFI authentication solution. My goal is to use freeradius to authenticate WIFI users using a LDAP database and without the need of use a non-native Windows application. You can do that. Only if you use the correct password format. Here goes my debug using a encrypted user password (which fails): It fails because you didn't tell the server what the correct password was. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atenciosamente, _ GUSTAVO VIEIRA OLIVEIRA Sistema FIESC Central de Serviços TIC TIC - Unidade Integrada de Tecnologia da Informação e Comunicação Rod. Admar Gonzaga, 2765 - Itacorubi - 2o Andar CEP 88034-001 - Florianópolis - SC Fone (48) 3231-4699 - Fax (48) 3231-4170 - Ramal 44699 e-mail: a href=mailto:atendime...@tic.fiescnet.com.br;atendime...@tic.fiescnet.com.br/a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
On 09/20/2011 11:03 AM, GUSTAVO VIEIRA OLIVEIRA wrote: Is there any way i can convert an LDAP MD5/SHA hash to a NT hash password? one-way password hashes are called one-way for a reason :-) To produce a password hash you must start with a cleartext password. see also: http://deployingradius.com/documents/protocols/compatibility.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
So, there's no other option to use LDAP database for radius authentication for WIFI users (windows users) without the use of an AD or a 3rd party supplicant? Also, is there any howto that explains how i can get my setup to work with NtPassword? If i change my radius setup to work with ntpasswords do i have to set users passwords again or can it be done automatically? I just want an alternative that makes me achieve my goal, any idea?. Thanks again! John Dennis jden...@redhat.com escreveu: On 09/20/2011 11:03 AM, GUSTAVO VIEIRA OLIVEIRA wrote: Is there any way i can convert an LDAP MD5/SHA hash to a NT hash password? one-way password hashes are called one-way for a reason :-) To produce a password hash you must start with a cleartext password. see also: http://deployingradius.com/documents/protocols/compatibility.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Atenciosamente, _ GUSTAVO VIEIRA OLIVEIRA Sistema FIESC Central de Serviços TIC TIC - Unidade Integrada de Tecnologia da Informação e Comunicação Rod. Admar Gonzaga, 2765 - Itacorubi - 2o Andar CEP 88034-001 - Florianópolis - SC Fone (48) 3231-4699 - Fax (48) 3231-4170 - Ramal 44699 e-mail: a href=mailto:atendime...@tic.fiescnet.com.br;atendime...@tic.fiescnet.com.br/a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
You can use LDAP without needing AD or some 3rd party supplicant on the OS , but as already said, you will need to have the password as nthash or cleartext. Read the compatibility matrix alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Very true, thank you for pointing that out as well. Note to anyone following: If you use a certificate signed by a general authority (verisign for example) then anyone with a verisign cert will be trusted in your place, and able to authenticate your users, IE as a man in the middle. They'll have access to the un-encrypted password payload (NT, cleartext), which is a severe security compromise. That's why you (should) always use an internal Certificate Authority, where you control which certs are signed and distributed. On 9/20/2011 00:31, Alan DeKok wrote: Christ Schlacta wrote: I thought if you had a certificate signed by a trusted root CA, you were good and didn't need to install anything on the client. It's true that you don't need to install anything on the client. It's *not* true that it's a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Hello. People, i've read a lot about the WIFI/AP authentication over Freeradius using LDAP but it seems i cannot make it work unless i use clear-text password or Nt/Lmpassword which as far as i know implies in Samba + LDAP integration. My question is, is that really the only way to make freeradius authenticate users using a LDAP database? Do i need to have samba + ldap to authenticate WIFI users using freeradius + LDAP with EAP-MSCHAPv2? If so, is there any other solution to authenticate Windows WIFI users without using a 3rd party wifi supplicant? Definetely, theres no other way i can use freeradius and fedora-ds without Samba/clear-text password OR a 3rd party supplicant that supports EAP/PAP? With my current configuration i was able to authenticate LDAP users with clear-text password but thats not i really want as a WIFI authentication solution. My goal is to use freeradius to authenticate WIFI users using a LDAP database and without the need of use a non-native Windows application. Here goes my debug using a encrypted user password (which fails): *FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Mar 25 2011 at 10:54:38 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib64/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests