Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for
example, and freeradius check the MD5 hash. So I understand I have to use PAP ?
In my modul ldap I think I have to put « password_attribute = userPassword ».
But If I do, I have to put my password in clear in my ldap, otherwise it don't
works. Also, I can comment the « password_attribute = userPassword » in my ldap
module and put my password in md5/ssha etc... in openldap and it works. But I
don't know very well why ??
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /usr/local/etc/raddb/certs/server.pem
certificate_file = /usr/local/etc/raddb/certs/server.pem
CA_file = /usr/local/etc/raddb/certs/ca.pem
private_key_password = whatever
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /usr/local/etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /usr/local/etc/raddb/certs/bootstrap
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Nicolas Goutte
Envoyé : mardi 19 mai 2009 14:45
À : FreeRadius users mailing list
Objet : Re: communication safe ssh - NAS - FreeRADIUS ?
Am 19.05.2009 um 14:14 schrieb François Mehault:
Hi,
I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I
don't understand in my case and i would like to know if the communication
between my cisco equipment and my FreeRadius safe is. I have a secret shared
between both. I understand that the communciation between freeradius and the
client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS
...
Someone can confirm me please if the communication is safe ? because I afraid
to see in the file users my password in clear-text. Is it possible to use md5,
ssha ... and how ?
For the compatibility, see
http://deployingradius.com/documents/protocols/compatibility.html
Thanks,
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have a nice day!
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html