RE: LDAP/MSCHAP
I wanted to say thanks to everybody from this list who has given me a hand over the past few weeks. I have successfully configured Freeradius to authenticate 802.1X wireless clients from an AD domain and assign them the appropriate VLAN tag based on AD/LDAP group membership. Many thanks to everybody. -Original Message- From: freeradius-users-bounces+mwhitlow=bumail.bradley@lists.freeradius.org [mailto:freeradius-users-bounces+mwhitlow=bumail.bradley@lists.freeradius.org] On Behalf Of Sven Hartge Sent: Sunday, November 13, 2011 8:39 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP/MSCHAP Andreas Rudat wrote: > Am 12.11.2011 23:00, schrieb Sven Hartge: >> This also means you have to protect those Hashes inside your database >> like a raw cleartext password, as you can authenticate to any Windows >> box with the knowledge of the NT/LM-Hash. >> >> This has been exploitet by several Windows trojan horses, which >> grabbed to NT-Hash from the Administrator user to login into other >> boxes on the network using the same password (or worse: the domain >> controller). > Ah much thanks for that clearing, so both is bad no matter which > mechnism is used. Yes. Storing the NT-Hash has the advantage of not completley exposing the cleartext password to a possible intruder. Storing the LM-Hash is just dumb, because a) it limits the the length of the password to 16 characters and b) LM-Hash is easily broken in seconds by todays computers. Storing the raw cleartext password is as bad, but it enables one to use other challange-handshake auths, if needed. I chose to store the raw cleartext password in LDAP, but in a different attribute than the normal userPassword. This way, if my LDAP servers ever get compromised (or I mess up with an ACL, enabling anyone to read the cleartext password), just the WLAN/Dialup-Password of a user is revealed and not the master password for the account, which is used for mail, login in to computers, etc. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Andreas Rudat wrote: > Am 12.11.2011 23:00, schrieb Sven Hartge: >> This also means you have to protect those Hashes inside your database >> like a raw cleartext password, as you can authenticate to any Windows >> box with the knowledge of the NT/LM-Hash. >> >> This has been exploitet by several Windows trojan horses, which >> grabbed to NT-Hash from the Administrator user to login into other >> boxes on the network using the same password (or worse: the domain >> controller). > Ah much thanks for that clearing, so both is bad no matter which > mechnism is used. Yes. Storing the NT-Hash has the advantage of not completley exposing the cleartext password to a possible intruder. Storing the LM-Hash is just dumb, because a) it limits the the length of the password to 16 characters and b) LM-Hash is easily broken in seconds by todays computers. Storing the raw cleartext password is as bad, but it enables one to use other challange-handshake auths, if needed. I chose to store the raw cleartext password in LDAP, but in a different attribute than the normal userPassword. This way, if my LDAP servers ever get compromised (or I mess up with an ACL, enabling anyone to read the cleartext password), just the WLAN/Dialup-Password of a user is revealed and not the master password for the account, which is used for mail, login in to computers, etc. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Am 12.11.2011 23:00, schrieb Sven Hartge: > Sven Hartge wrote: >> Andreas Rudat wrote: >>> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote: > I agree with Jake, in that I *think* it would be possible to have a > plugin or whatever interface with LDAP/AD in the same manner > ntlm_auth does. I don't think one *needs* a cleartext password, > but does need some way to compare apples-to-apples. That's exactly what Alan is saying: " store your passwords in the LDAP as NT-Password or LM-Password " >>> But if that works, why then all are saying that you can just work >>> with plaintext? Its realy confusing. >> NT/LM-Password is "special". This is why it works with MSCHAPv2, both >> being a MicroSoft "invention". > To be precise: MSCHAPv2 works with the NT/LM-Password as input to the > Challenge-Handshake and not the "raw" cleartext password. This is why > this works. > > FreeRADIUS converts a cleartext password into the needed NT-Hash and > then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing > NT-Hash from LDAP/MySQL/whatever. > > Quote from http://en.wikipedia.org/wiki/NTLM > , > | The NTLM protocol uses one or both of two hashed password values, both > | of which are also stored on the server (or domain controller), and which > | are password equivalent, meaning that if you grab the hash value from > | the server, you can authenticate without knowing the actual password. > ` > > This also means you have to protect those Hashes inside your database > like a raw cleartext password, as you can authenticate to any Windows > box with the knowledge of the NT/LM-Hash. > > This has been exploitet by several Windows trojan horses, which grabbed > to NT-Hash from the Administrator user to login into other boxes on the > network using the same password (or worse: the domain controller). > > Grüße, > S Ah much thanks for that clearing, so both is bad no matter which mechnism is used. Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Sven Hartge wrote: > Andreas Rudat wrote: >> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: >>> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote: I agree with Jake, in that I *think* it would be possible to have a plugin or whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't think one *needs* a cleartext password, but does need some way to compare apples-to-apples. >>> That's exactly what Alan is saying: " store your passwords in the >>> LDAP as NT-Password or LM-Password " >> But if that works, why then all are saying that you can just work >> with plaintext? Its realy confusing. > NT/LM-Password is "special". This is why it works with MSCHAPv2, both > being a MicroSoft "invention". To be precise: MSCHAPv2 works with the NT/LM-Password as input to the Challenge-Handshake and not the "raw" cleartext password. This is why this works. FreeRADIUS converts a cleartext password into the needed NT-Hash and then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing NT-Hash from LDAP/MySQL/whatever. Quote from http://en.wikipedia.org/wiki/NTLM , | The NTLM protocol uses one or both of two hashed password values, both | of which are also stored on the server (or domain controller), and which | are password equivalent, meaning that if you grab the hash value from | the server, you can authenticate without knowing the actual password. ` This also means you have to protect those Hashes inside your database like a raw cleartext password, as you can authenticate to any Windows box with the knowledge of the NT/LM-Hash. This has been exploitet by several Windows trojan horses, which grabbed to NT-Hash from the Administrator user to login into other boxes on the network using the same password (or worse: the domain controller). Grüße, S° -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Andreas Rudat wrote: > Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: >> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote: >>> I agree with Jake, in that I *think* it would be possible to have a >>> plugin or whatever interface with LDAP/AD in the same manner >>> ntlm_auth does. I don't think one *needs* a cleartext password, but >>> does need some way to compare apples-to-apples. >> That's exactly what Alan is saying: " store your passwords in the >> LDAP as NT-Password or LM-Password " > But if that works, why then all are saying that you can just work with > plaintext? Its realy confusing. NT/LM-Password is "special". This is why it works with MSCHAPv2, both being a MicroSoft "invention". S° -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
On 11/12/2011 06:43 PM, Andreas Rudat wrote: But if that works, why then all are saying that you can just work with plaintext? Its realy confusing. If you have the plaintext, you can generate any hash, and of course perform any auth mechanism. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: > On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote: >> I agree with Jake, in that I *think* it would be possible to have a plugin >> or whatever interface with LDAP/AD in the same manner ntlm_auth does. I >> don't think one *needs* a cleartext password, but does need some way to >> compare apples-to-apples. > That's exactly what Alan is saying: > " > store your passwords in the LDAP as NT-Password or LM-Password > " But if that works, why then all are saying that you can just work with plaintext? Its realy confusing. Andreas > ... although in my expreiments NT-Password alone is enough, but > LM-Password alone is useless. > > How can you create NT-Password? One way to do that is by hijacking the > process where user enters password as plaintext (e.g. from the > password prompt when user change their password) and use smbencrypt > (part of freeradius) > > Where do you store NT-Password in LDAP? In ntPassword or > sambaNtPassword LDAP attribute (or any other attribute of your choice, > as long as you remember to update raddb/ldap.attrmap as well) > > If you have NT-Password, then you don't need user's cleartext password > anymore, and you don't even need any helper tool. > -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Gary Gatten wrote: > I agree with Jake, in that I *think* it would be possible to have a plugin or > whatever interface with LDAP/AD in the same manner ntlm_auth does. It's possible to have a plugin, but there is no benefit. FreeRADIUS already has an LDAP plugin. The *only* reason for ntlm_auth is that Microsoft doesn't expose the NT-Password over LDAP. > I don't think one *needs* a cleartext password, but does need some way to > compare apples-to-apples. That said, I don't know the inner workings of all > the auth protocols involved here so I could be way off. Something tells me > if it were easy/possible, Mr. DeKok would have likely written the plugin by > now. http://deployingradius.com/documents/protocols/compatibility.html This hasn't changed in 15 years. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Whitlow, Michael wrote: > I am really close to a successful Freeradius implementation for 802.1X > wireless using LDAP authentication on the back end. Are you sure the backend is LDAP, and not AD? It it's AD, see my web page: http://deployingradius.com It has complete instructions for configuring authentication to AD. > Here is the debug output. I have read others online with these symptoms > but nothing I have found yet will help me. If you look at the *rest* of the debug output, you'll probably see that the LDAP module didn't find a password in LDAP. If it found a password, it would set a Cleartext-Password, and MS-CHAP would work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
On 11/11/2011 01:29 AM, Gary Gatten wrote: I agree with Jake, in that I *think* it would be possible to have a plugin or whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't think one *needs* a cleartext password, but To quote from the other email I just sent: """ People wanting to do MSCHAP must have either: 1. The NT or LM hashes 2. The cleartext password, to generate the NT/LM hashes 3. Access to a system which will perform the MSCHAP crypto for them (i.e. a domain controller, access via samba/ntlm_auth) """ If you're talking about writing something that interfaces with Active Directory "in the same way" as ntlm_auth, you're essentially talking about writing a (presumably easier to setup/run than samba/ntlm_auth) program to do #3. However: I will note there's no evidence that the OP was using AD. He could have just been using a plain LDAP server. does need some way to compare apples-to-apples. That said, I don't know the inner workings of all the auth protocols involved here so I could be way off. Something tells me if it were easy/possible, Mr. DeKok would have likely written the plugin by now. As it happens, I do know the protocols and internal windows APIs, and did look into this a while back. It is *possible* but very tricky, and it's unclear to me it would be "easier" than samba/ntlm_auth. A few points: 1. You CANNOT access the required APIs remotely; you MUST be running as a local process on a windows domain controller. Thankfully there are other APIs which a domain member can call as an RPC which proxy to these APIs, but you need a domain machine account to call them (this is what Samba/ntlm_auth does) 2. The required APIs are very, very scantily documented 3. The required APIs ONLY permit you to perform the MSCHAP calculations; they don't give you access to any password hashes. So, basically you would end up with: 1. A C program, which you have to compile for windows, which calls the internal LSA APIs to perform an MSCHAP challenge/response 2. Which you then have to run on a windows server, which calls the RPC on your domain controllers (this is EXACTLY what Samba/ntlm_auth does) 3. Some kind of authentication to secure the FreeRADIUS -> program network comms I got about halfway through step 1 - the API calls were executing, but the call failed despite being passed a valid challenge/response. I assume there are some (more) undocumented API subtleties. Given the difficulties and awkwardness of the solution, I gave up and concluded people should just run Samba, or if they really can't tolerate that, run a dumb copy of IAS/NPS and proxy the MSCHAP/EAP-MSCHAP to that. Cheers, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
On 11/10/2011 11:36 PM, Sallee, Stephen (Jake) wrote: Please forgive the interjection, but does anyone know of a helper module like ntlm_auth that would work with LDAP, seems like such a tool would make questions like this a non-issue. MSCHAP is a challenge-response mechanism. To execute the cryptographic calculation, you MUST have access to the NT or LM hashes of the users password. It's unclear to me what kind of "helper" module you're envisaging; perhaps a USB-attached quantum computer that can crack the crypto in realtime ;o) In all seriousness - there's nothing to "help" here. People wanting to do MSCHAP must have either: 1. The NT or LM hashes 2. The cleartext password, to generate the NT/LM hashes 3. Access to a system which will perform the MSCHAP crypto for them (i.e. a domain controller, access via samba/ntlm_auth) This is by design - the cryptographic properties of MSCHAP were created intentionally to make this the case. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote: > I agree with Jake, in that I *think* it would be possible to have a plugin or > whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't > think one *needs* a cleartext password, but does need some way to compare > apples-to-apples. That's exactly what Alan is saying: " store your passwords in the LDAP as NT-Password or LM-Password " ... although in my expreiments NT-Password alone is enough, but LM-Password alone is useless. How can you create NT-Password? One way to do that is by hijacking the process where user enters password as plaintext (e.g. from the password prompt when user change their password) and use smbencrypt (part of freeradius) Where do you store NT-Password in LDAP? In ntPassword or sambaNtPassword LDAP attribute (or any other attribute of your choice, as long as you remember to update raddb/ldap.attrmap as well) If you have NT-Password, then you don't need user's cleartext password anymore, and you don't even need any helper tool. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
I agree with Jake, in that I *think* it would be possible to have a plugin or whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't think one *needs* a cleartext password, but does need some way to compare apples-to-apples. That said, I don't know the inner workings of all the auth protocols involved here so I could be way off. Something tells me if it were easy/possible, Mr. DeKok would have likely written the plugin by now. - Original Message - From: Sven Hartge [mailto:s...@svenhartge.de] Sent: Thursday, November 10, 2011 06:18 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP/MSCHAP "Sallee, Stephen (Jake)" wrote: > Please forgive the interjection, but does anyone know of a helper > module like ntlm_auth that would work with LDAP, seems like such a > tool would make questions like this a non-issue. No, will not work. You can't transform the normally used hashes back into a cleartext password. (This is kind of the whole point of a hash.) As long you don't have any means to provide FreeRADIUS with a cleartext password or the NT/LM-Hash, you are doomed. ntlm_auth just offloads the whole Challenge-Response exchange from the RADIUS server to the ActiveDirectory (as far as I understand it) using the ntlm_auth binary from Samba. Again: the AD will have to know the cleartext password in some way (either encrypted or somehow "pre-hashed") to make this work. (Don't know the specifics, I am a Unix guy, the only Windows near me is on my gaming computer.) Grüße, S° -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
"Sallee, Stephen (Jake)" wrote: > Please forgive the interjection, but does anyone know of a helper > module like ntlm_auth that would work with LDAP, seems like such a > tool would make questions like this a non-issue. No, will not work. You can't transform the normally used hashes back into a cleartext password. (This is kind of the whole point of a hash.) As long you don't have any means to provide FreeRADIUS with a cleartext password or the NT/LM-Hash, you are doomed. ntlm_auth just offloads the whole Challenge-Response exchange from the RADIUS server to the ActiveDirectory (as far as I understand it) using the ntlm_auth binary from Samba. Again: the AD will have to know the cleartext password in some way (either encrypted or somehow "pre-hashed") to make this work. (Don't know the specifics, I am a Unix guy, the only Windows near me is on my gaming computer.) Grüße, S° -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP/MSCHAP
Please forgive the interjection, but does anyone know of a helper module like ntlm_auth that would work with LDAP, seems like such a tool would make questions like this a non-issue. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Sven Hartge Sent: Thursday, November 10, 2011 5:24 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP/MSCHAP Whitlow, Michael wrote: > I am really close to a successful Freeradius implementation for 802.1X > wireless using LDAP authentication on the back end. Nope, you are not very close. You _cannot_ use any LDAP authentication (via binding with a DN to the LDAP server) with any CHAP authentication. This will never work. You cannot use LDAP as an authentication oracle here, you have to use it more like a database. See http://deployingradius.com/documents/protocols/oracles.html, quote: "An authentication oracle is a system where the RADIUS server does not perform the authentication itself, but instead passes the users authentication credentials to another system. " This does NOT work with MSCHAP, since the RADIUS server _does not have_ the complete authentication credentials in this case, it is missing the password. The only thing it has, is the hashed version, the so called "challenge". > Here is what I have: > - RADTEST / clear text Freeradius password from "users" file / > WORKS GREAT Works because of the cleartext password. > - Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / clear text > Freeradius password from "users" file / WORKS GREAT Works because of the cleartext password. > - RADTEST / LDAP credentials / WORKS GREAT Works, because this uses PAP, which does _not_ need a cleartext password on the RADIUS server, because radtest supplies a cleartext password itself in the RADIUS packet (inside attribute User-Password) and the servers ldap modules then can use this information to bind to the LDAP server using the username and the supplied password from radtest. CHAP does _not_ work like this. > - Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / LDAP > credentials / NO GO Does not work, because you don't have any cleartext password in the RADIUS server, because your LDAP setup does not provide one. And before you ask: no, just reading userPassword from the LDAP server will not help, because in 99.9% this is a crypted password, mostly hashed using SHA1. > Here is the debug output. I have read others online with these > symptoms but nothing I have found yet will help me. This is untrue. This comes up every fscking time any one tries to use LDAP and MSCHAP. It is a common error. > [mschapv2] +- entering group MS-CHAP {...} > [mschap] No Cleartext-Password configured. Cannot create LM-Password. > [mschap] No Cleartext-Password configured. Cannot create NT-Password. You will need to do the following: a) setup a special user inside your LDAP tree for freeradius. This special user needs to have the correct permissions to read an attribute with the cleartext password of any user. b) configure this special user in {confdir}/modules/ldap, search for "identity" c) change password_attribute to the cleartext-password attribute you are using if it is not userPassword. (I strongly recommend using a different password attribute for your users, but the default is OK too, if you don't mind having the main password for a user being in cleartext inside your LDAP tree.) This way FreeRADIUS logs into the LDAP server using its own credentials, searches for the username, reads the cleartext password and _THEN_ the mschapv2 module is able to work. This is the _only_ way to get MSCHAPv2 to work with LDAP. And this has been discussed in this list every time anyone tried to tie LDAP and FreeRADIUS. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Whitlow, Michael wrote: > I am really close to a successful Freeradius implementation for 802.1X > wireless using LDAP authentication on the back end. Nope, you are not very close. You _cannot_ use any LDAP authentication (via binding with a DN to the LDAP server) with any CHAP authentication. This will never work. You cannot use LDAP as an authentication oracle here, you have to use it more like a database. See http://deployingradius.com/documents/protocols/oracles.html, quote: "An authentication oracle is a system where the RADIUS server does not perform the authentication itself, but instead passes the users authentication credentials to another system. " This does NOT work with MSCHAP, since the RADIUS server _does not have_ the complete authentication credentials in this case, it is missing the password. The only thing it has, is the hashed version, the so called "challenge". > Here is what I have: > - RADTEST / clear text Freeradius password from "users" file / > WORKS GREAT Works because of the cleartext password. > - Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / clear text > Freeradius password from "users" file / WORKS GREAT Works because of the cleartext password. > - RADTEST / LDAP credentials / WORKS GREAT Works, because this uses PAP, which does _not_ need a cleartext password on the RADIUS server, because radtest supplies a cleartext password itself in the RADIUS packet (inside attribute User-Password) and the servers ldap modules then can use this information to bind to the LDAP server using the username and the supplied password from radtest. CHAP does _not_ work like this. > - Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / LDAP > credentials / NO GO Does not work, because you don't have any cleartext password in the RADIUS server, because your LDAP setup does not provide one. And before you ask: no, just reading userPassword from the LDAP server will not help, because in 99.9% this is a crypted password, mostly hashed using SHA1. > Here is the debug output. I have read others online with these symptoms > but nothing I have found yet will help me. This is untrue. This comes up every fscking time any one tries to use LDAP and MSCHAP. It is a common error. > [mschapv2] +- entering group MS-CHAP {...} > [mschap] No Cleartext-Password configured. Cannot create LM-Password. > [mschap] No Cleartext-Password configured. Cannot create NT-Password. You will need to do the following: a) setup a special user inside your LDAP tree for freeradius. This special user needs to have the correct permissions to read an attribute with the cleartext password of any user. b) configure this special user in {confdir}/modules/ldap, search for "identity" c) change password_attribute to the cleartext-password attribute you are using if it is not userPassword. (I strongly recommend using a different password attribute for your users, but the default is OK too, if you don't mind having the main password for a user being in cleartext inside your LDAP tree.) This way FreeRADIUS logs into the LDAP server using its own credentials, searches for the username, reads the cleartext password and _THEN_ the mschapv2 module is able to work. This is the _only_ way to get MSCHAPv2 to work with LDAP. And this has been discussed in this list every time anyone tried to tie LDAP and FreeRADIUS. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Hi, >[mschap] No Cleartext-Password configured. Cannot create LM-Password. >[mschap] No Cleartext-Password configured. Cannot create NT-Password. store your passwords in the LDAP as NT-Password or LM-Password hashes. this then allows the PEAP/MSCHAPv2 method of EAP to work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP MSCHAP error
> Also any ideas as to how I may insert the variable from perl would be > nice. Read rlm_perl documentation. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP MSCHAP error
Also any ideas as to how I may insert the variable from perl would be nice. -Original Message- From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, August 24, 2009 11:03 AM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote: > LOL, K. Just found it interesting that with so little data you were able to > devine our schema. The problem here is our LDAP tree will not or cannot > change (political reasons... Long story sucks for me, but as they say wish in > one hand and poop in the other, get back to me when you figure out which on > fills first...) As I said... it's C programming 101. It's trivial for anyone who's spent 10 minutes with C. > So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd > thing is it works for 95% of our users, it seems there is a character combo > that causes the truncation. Yes. "00". This is C 101. > So I was thinking I would use a perl script (thank you rlm_perl, and > PERL-LDAP modules) to perform the LDAP query and then convert the data to > ASCII and insert the converted String Data into the NT-Password variable. That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP MSCHAP error
passwords that are effected do not contain 00 FYI -Original Message- From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, August 24, 2009 11:03 AM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote: > LOL, K. Just found it interesting that with so little data you were able to > devine our schema. The problem here is our LDAP tree will not or cannot > change (political reasons... Long story sucks for me, but as they say wish in > one hand and poop in the other, get back to me when you figure out which on > fills first...) As I said... it's C programming 101. It's trivial for anyone who's spent 10 minutes with C. > So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd > thing is it works for 95% of our users, it seems there is a character combo > that causes the truncation. Yes. "00". This is C 101. > So I was thinking I would use a perl script (thank you rlm_perl, and > PERL-LDAP modules) to perform the LDAP query and then convert the data to > ASCII and insert the converted String Data into the NT-Password variable. That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP error
Larry Ross wrote: > LOL, K. Just found it interesting that with so little data you were able to > devine our schema. The problem here is our LDAP tree will not or cannot > change (political reasons... Long story sucks for me, but as they say wish in > one hand and poop in the other, get back to me when you figure out which on > fills first...) As I said... it's C programming 101. It's trivial for anyone who's spent 10 minutes with C. > So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd > thing is it works for 95% of our users, it seems there is a character combo > that causes the truncation. Yes. "00". This is C 101. > So I was thinking I would use a perl script (thank you rlm_perl, and > PERL-LDAP modules) to perform the LDAP query and then convert the data to > ASCII and insert the converted String Data into the NT-Password variable. That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP MSCHAP error
LOL, K. Just found it interesting that with so little data you were able to devine our schema. The problem here is our LDAP tree will not or cannot change (political reasons... Long story sucks for me, but as they say wish in one hand and poop in the other, get back to me when you figure out which on fills first...) So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing is it works for 95% of our users, it seems there is a character combo that causes the truncation. So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP modules) to perform the LDAP query and then convert the data to ASCII and insert the converted String Data into the NT-Password variable. With that strategy in mind I have a couple questions. 1: Sanity check. Before I begin down this path, does this sound plausible? 2: Suggestions or samples would be greatly appreciated. Thank you Larry -Original Message- From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, August 21, 2009 11:35 PM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote: > Hmm interesting, how were you able to divine that that is how we are storing > the has values... C programming 101. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP error
I don't want to receive any email form freeradius-users@lists.freeradius.org . plss --- On Fri, 8/21/09, Alan DeKok wrote: From: Alan DeKok Subject: Re: LDAP MSCHAP error To: "FreeRadius users mailing list" Date: Friday, August 21, 2009, 11:35 PM Larry Ross wrote: > Hmm interesting, how were you able to divine that that is how we are storing > the has values... C programming 101. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP error
Larry Ross wrote: > Hmm interesting, how were you able to divine that that is how we are storing > the has values... C programming 101. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP MSCHAP error
Hmm interesting, how were you able to divine that that is how we are storing the has values... -Original Message- From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, August 20, 2009 11:59 PM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote: > It appears though that there may be a bug in the string copy function of > the rlm_ldap function (or whatever is responsible for copying the > attributes from LDAP to Server core for MSCHAP challenge compare) We > noticed the truncation upon "00" and "3d" in the NT-Password hash (so > if the has was abc12300 or abc1233dall you would see is abc123) The OpenLDAP API assumes that the returned values are text. If you want to store *binary* data, then FreeRADIUS has to use a different API to query for the data. And *before* it does the query it has to know which values are binary, and which ones are text. Or, you can do what everyone else does. Store the NT-Password hash as a string of 32 hex numbers. Storing it as a binary blob of 16 bytes just causes problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP error
Larry Ross wrote: > It appears though that there may be a bug in the string copy function of > the rlm_ldap function (or whatever is responsible for copying the > attributes from LDAP to Server core for MSCHAP challenge compare) We > noticed the truncation upon "00" and "3d" in the NT-Password hash (so > if the has was abc12300 or abc1233dall you would see is abc123) The OpenLDAP API assumes that the returned values are text. If you want to store *binary* data, then FreeRADIUS has to use a different API to query for the data. And *before* it does the query it has to know which values are binary, and which ones are text. Or, you can do what everyone else does. Store the NT-Password hash as a string of 32 hex numbers. Storing it as a binary blob of 16 bytes just causes problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
Great - thanks, Absolutely outstanding help thanks! :) I hashed from ldap.attrmap as below #checkItem LM-Password sambaLmPassword #checkItem NT-Password sambaNtPassword And it all worked! :) Thanks very much! Simon >>> <[EMAIL PROTECTED]> 12/11/2008 13:46 >>> >[ldap] Added the eDirectory password password in check items as >Cleartext-Password OK. Here is the clear text password. >[ldap] No default NMAS login sequence >[ldap] looking for check items in directory... >rlm_ldap: acctFlags -> SMB-Account-CTRL-TEXT == "[UX ]" >rlm_ldap: sambaNtPassword -> NT-Password == >0x414539434130363637413341393742303139423034323645363933373332 >rlm_ldap: sambaLmPassword -> LM-Password == >0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol: [EMAIL PROTECTED] Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Coleg Sir Gâr. If you have received this email in error please notify the administrator on the following address: [EMAIL PROTECTED] Please consider the environment - do you really need to print this email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
>[ldap] Added the eDirectory password password in check items as >Cleartext-Password OK. Here is the clear text password. >[ldap] No default NMAS login sequence >[ldap] looking for check items in directory... >rlm_ldap: acctFlags -> SMB-Account-CTRL-TEXT == "[UX ]" >rlm_ldap: sambaNtPassword -> NT-Password == >0x414539434130363637413341393742303139423034323645363933373332 >rlm_ldap: sambaLmPassword -> LM-Password == >0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Nov 10 2008 at 13:18:51 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/mschap.org including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 172.16.8.0/24 { require_message_authenticator = no secret = "testing123" shortname = "testing" } client 192.168.1.1/32 { require_message_authenticator = no secret = "w1f1netw0rk" shortname = "ArubaController" } radiusd: Loading Realms and Home Serv
Re: LDAP & MSCHAP errors
>>>pap against LDAP works fine >>>chap against LDAP works fine (With ntradping) >> >>They used different password. > >Do you mean chap and MSCHAPv2 require passwords in different formats or >something? No. There is a clear text password stored somewhere. >I can auth CHAP, but with the same username and password can't auth >CHAPv2 >(with no config change on freeradius) >My two debugs show that >Debug: rlm_ldap: sambaNtPassword -> NT-Password == >0x414539434130363637412341393742303139423034323445363933373332 >So the NT-Password is being retrieved from LDAP in both cases. > Yes. But chap wasn't using it. >>A coorect password. > >Do you think the has being retrieved from LDAP is wrong then? Yes. >If I do put in an incorrect password I do get the same error message. > No surprise. >>* >>>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password >>>"ommitted" for user testuser authentication. >>* >> >>>Where did that come from? > >I don't know - inside tha chap module? No. >It's retrieved from LDAP. Not that I can see. Post the whole debug and I will tell you where is clear text password possibly stored. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
>>pap against LDAP works fine >>chap against LDAP works fine (With ntradping) > >They used different password. Do you mean chap and MSCHAPv2 require passwords in different formats or something? I can auth CHAP, but with the same username and password can't auth CHAPv2 (with no config change on freeradius) My two debugs show that Debug: rlm_ldap: sambaNtPassword -> NT-Password == 0x414539434130363637412341393742303139423034323445363933373332 So the NT-Password is being retrieved from LDAP in both cases. > >>BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect" >>Am I missing something required for MSCHAP to work? The NT-Password >>seems to be retrieved... >> > >A coorect password. Do you think the has being retrieved from LDAP is wrong then? If I do put in an incorrect password I do get the same error message. Does anyone have Freeradius working with MSCHAP against eDir? > >>Working CHAP debug from ntradping: >> >>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in >>directory... >>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags -> >>SMB-Account-CTRL-TEXT == "[UX ]" >>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword -> >>NT-Password == >>0x414539434130363637413341393742303139423034323645363933373332 >>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword -> >>LM-Password == >>0x363542393930304434314234453336383139463130413944343836384443 >>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in >>directory... >>Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to use >>remote access >>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release >>Id: 0 >>Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok >>Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop >>Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop >>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from hex >>encoding >>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from hex >>encoding >>Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not >>changing it. >>Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop >>Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP >>Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...} >>Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser" >>with CHAP password > >* >>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password >>"ommitted" for user testuser authentication. >* > >>Where did that come from? I don't know - inside tha chap module? It's retrieved from LDAP. I'm using the default modules/chap - it just says: chap { # no configuration } > >>Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser >>authenticated succesfully > >>Default configuration in modules/mschap and modules/chap >>In sites-enabled/default >>authorize { >>ldap >>} > >That is obviously untrue from your debug. Just checked again, modules/mschap has nothing unhashed. modules/chap has as above with # no configuration > >Try doing pap with that NT-Password from ldap (remove clear text password >entry wherever it is). Yeah - PAP works perfectly, chap works perfectly, MSCHAP doesn't. Thanks > >Ivan Kalik >Kalik Informatika ISP Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol: [EMAIL PROTECTED] Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are solely those of the author an d do not necessarily represent those of Coleg Sir Gâr. If you have received this email in error please notify the administrator on the following address: [EMAIL PROTECTED] Please consider the environment - do you really need to print this email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
>We are trying to set up freeRADIUS 2.1.1 against eDirectory LDAP and >getting problems. >(Trying SLES 10 SP2 32bit and 64 bit) >pap against LDAP works fine >chap against LDAP works fine (With ntradping) They used different password. >BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect" >Am I missing something required for MSCHAP to work? The NT-Password >seems to be retrieved... > A coorect password. >Working CHAP debug from ntradping: > >Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in >directory... >Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags -> >SMB-Account-CTRL-TEXT == "[UX ]" >Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword -> >NT-Password == >0x414539434130363637413341393742303139423034323645363933373332 >Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword -> >LM-Password == >0x363542393930304434314234453336383139463130413944343836384443 >Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in >directory... >Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to use >remote access >Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release >Id: 0 >Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok >Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop >Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop >Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from hex >encoding >Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from hex >encoding >Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not >changing it. >Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop >Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP >Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...} >Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser" >with CHAP password * >Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password >"ommitted" for user testuser authentication. * Where did that come from? >Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser >authenticated succesfully >Default configuration in modules/mschap and modules/chap >In sites-enabled/default >authorize { >ldap >} That is obviously untrue from your debug. Try doing pap with that NT-Password from ldap (remove clear text password entry wherever it is). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html