Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
On 21/09/11 03:11, Christ Schlacta wrote: Very true, thank you for pointing that out as well. Note to anyone following: If you use a certificate signed by a general authority (verisign for example) then anyone with a verisign cert will be trusted in your place, and able to authenticate your users, IE as a man in the middle. They'll have access to the un-encrypted password payload (NT, cleartext), which is a severe security compromise. That's why you (should) always use an internal Certificate Authority, where you control which certs are signed and distributed. This is only minimally correct, IMO. Many EAP clients will, in addition to trusting the cert, record the CN of the cert on first connect. Some can even be pre-configured with the CA cert CN to expect (google su1x). So someone would have to: 1. Get a cert from the same CA 2. With the same CN Assuming you get a cert from a reliable CA (and not one who, say, can get tricked by some horrible authoritarian government into giving them a wildcard cert...) this is much harder. You are correct that, in an ideal world, using a private CA would be the easy go-to option. However, with the notable exception of MacOS X and iOS (which have sensible first use confirmation GUI), it's a massive pain deploying private CA. It's entirely understandable that people make the cost/benefit evaluation and come down in favour of a public CA. All this could have been avoided if X.509 wasn't broken by design of course, but that's a topic for another forum ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
uselessidbr wrote: People, i've read a lot about the WIFI/AP authentication over Freeradius using LDAP but it seems i cannot make it work unless i use clear-text password or Nt/Lmpassword which as far as i know implies in Samba + LDAP integration. http://deployingradius.com/documents/protocols/compatibility.html Note it doesn't mention Samba. NT-Passwords are a password *format*. They can be stored anywhere. My question is, is that really the only way to make freeradius authenticate users using a LDAP database? Do i need to have samba + ldap to authenticate WIFI users using freeradius + LDAP with EAP-MSCHAPv2? No. You need cleartext passwords, or NT passwords. Where they are stored is a completely separate question. With my current configuration i was able to authenticate LDAP users with clear-text password but thats not i really want as a WIFI authentication solution. My goal is to use freeradius to authenticate WIFI users using a LDAP database and without the need of use a non-native Windows application. You can do that. Only if you use the correct password format. Here goes my debug using a encrypted user password (which fails): It fails because you didn't tell the server what the correct password was. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Christ Schlacta wrote: I thought if you had a certificate signed by a trusted root CA, you were good and didn't need to install anything on the client. It's true that you don't need to install anything on the client. It's *not* true that it's a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Hello. Thanks for the answers. I got no AD integrated with LDAP. Is there any way i can convert an LDAP MD5/SHA hash to a NT hash password? Thanks! Alan DeKok al...@deployingradius.com escreveu: uselessidbr wrote: People, i've read a lot about the WIFI/AP authentication over Freeradius using LDAP but it seems i cannot make it work unless i use clear-text password or Nt/Lmpassword which as far as i know implies in Samba + LDAP integration. http://deployingradius.com/documents/protocols/compatibility.html Note it doesn't mention Samba. NT-Passwords are a password *format*. They can be stored anywhere. My question is, is that really the only way to make freeradius authenticate users using a LDAP database? Do i need to have samba + ldap to authenticate WIFI users using freeradius + LDAP with EAP-MSCHAPv2? No. You need cleartext passwords, or NT passwords. Where they are stored is a completely separate question. With my current configuration i was able to authenticate LDAP users with clear-text password but thats not i really want as a WIFI authentication solution. My goal is to use freeradius to authenticate WIFI users using a LDAP database and without the need of use a non-native Windows application. You can do that. Only if you use the correct password format. Here goes my debug using a encrypted user password (which fails): It fails because you didn't tell the server what the correct password was. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atenciosamente, _ GUSTAVO VIEIRA OLIVEIRA Sistema FIESC Central de Serviços TIC TIC - Unidade Integrada de Tecnologia da Informação e Comunicação Rod. Admar Gonzaga, 2765 - Itacorubi - 2o Andar CEP 88034-001 - Florianópolis - SC Fone (48) 3231-4699 - Fax (48) 3231-4170 - Ramal 44699 e-mail: a href=mailto:atendime...@tic.fiescnet.com.br;atendime...@tic.fiescnet.com.br/a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
On 09/20/2011 11:03 AM, GUSTAVO VIEIRA OLIVEIRA wrote: Is there any way i can convert an LDAP MD5/SHA hash to a NT hash password? one-way password hashes are called one-way for a reason :-) To produce a password hash you must start with a cleartext password. see also: http://deployingradius.com/documents/protocols/compatibility.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
So, there's no other option to use LDAP database for radius authentication for WIFI users (windows users) without the use of an AD or a 3rd party supplicant? Also, is there any howto that explains how i can get my setup to work with NtPassword? If i change my radius setup to work with ntpasswords do i have to set users passwords again or can it be done automatically? I just want an alternative that makes me achieve my goal, any idea?. Thanks again! John Dennis jden...@redhat.com escreveu: On 09/20/2011 11:03 AM, GUSTAVO VIEIRA OLIVEIRA wrote: Is there any way i can convert an LDAP MD5/SHA hash to a NT hash password? one-way password hashes are called one-way for a reason :-) To produce a password hash you must start with a cleartext password. see also: http://deployingradius.com/documents/protocols/compatibility.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Atenciosamente, _ GUSTAVO VIEIRA OLIVEIRA Sistema FIESC Central de Serviços TIC TIC - Unidade Integrada de Tecnologia da Informação e Comunicação Rod. Admar Gonzaga, 2765 - Itacorubi - 2o Andar CEP 88034-001 - Florianópolis - SC Fone (48) 3231-4699 - Fax (48) 3231-4170 - Ramal 44699 e-mail: a href=mailto:atendime...@tic.fiescnet.com.br;atendime...@tic.fiescnet.com.br/a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
You can use LDAP without needing AD or some 3rd party supplicant on the OS , but as already said, you will need to have the password as nthash or cleartext. Read the compatibility matrix alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Very true, thank you for pointing that out as well. Note to anyone following: If you use a certificate signed by a general authority (verisign for example) then anyone with a verisign cert will be trusted in your place, and able to authenticate your users, IE as a man in the middle. They'll have access to the un-encrypted password payload (NT, cleartext), which is a severe security compromise. That's why you (should) always use an internal Certificate Authority, where you control which certs are signed and distributed. On 9/20/2011 00:31, Alan DeKok wrote: Christ Schlacta wrote: I thought if you had a certificate signed by a trusted root CA, you were good and didn't need to install anything on the client. It's true that you don't need to install anything on the client. It's *not* true that it's a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Hello.
People, i've read a lot about the WIFI/AP authentication over Freeradius
using LDAP but it seems i cannot make it work unless i use clear-text
password or Nt/Lmpassword which as far as i know implies in Samba + LDAP
integration.
My question is, is that really the only way to make freeradius authenticate
users using a LDAP database?
Do i need to have samba + ldap to authenticate WIFI users using freeradius +
LDAP with EAP-MSCHAPv2?
If so, is there any other solution to authenticate Windows WIFI users
without using a 3rd party wifi supplicant?
Definetely, theres no other way i can use freeradius and fedora-ds without
Samba/clear-text password OR a 3rd party supplicant that supports EAP/PAP?
With my current configuration i was able to authenticate LDAP users with
clear-text password but thats not i really want as a WIFI authentication
solution. My goal is to use freeradius to authenticate WIFI users using a
LDAP database and without the need of use a non-native Windows application.
Here goes my debug using a encrypted user password (which fails):
*FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Mar
25 2011 at 10:54:38
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests
