communication safe ssh - NAS - FreeRADIUS ?

2009-05-19 Thread François Mehault 
Hi,

I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I 
don't understand in my case and i would like to know if the communication 
between my cisco equipment and my FreeRadius  safe is. I have a secret shared 
between both. I understand that the communciation between freeradius and the 
client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS 
...
Someone can confirm me please if the communication is safe ? because I afraid 
to see in the file users my password in clear-text. Is it possible to use md5, 
ssha ... and how ?

Thanks,

Regards,


François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: communication safe ssh - NAS - FreeRADIUS ?

2009-05-19 Thread Nicolas Goutte 


Am 19.05.2009 um 14:14 schrieb François Mehault:


Hi,



I authenticate on cisco equipments via ssh/telnet. There is no  
supplicant, so I don’t understand in my case and i would like to  
know if the communication between my cisco equipment and my  
FreeRadius  safe is. I have a secret shared between both. I  
understand that the communciation between freeradius and the client  
radius use the protocol Radius. But in my case there is no PEAP,  
EAP/TLS …


Someone can confirm me please if the communication is safe ?  
because I afraid to see in the file users my password in clear- 
text. Is it possible to use md5, ssha … and how ?


For the compatibility, see http://deployingradius.com/documents/ 
protocols/compatibility.html




Thanks,



Regards,





François

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: communication safe ssh - NAS - FreeRADIUS ?

2009-05-19 Thread François Mehault 
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for 
example, and freeradius check the MD5 hash. So I understand I have to use PAP ? 
 In my modul ldap I think I have to put « password_attribute = userPassword ». 
But If I do, I have to put my password in clear in my ldap, otherwise it don't 
works. Also, I can comment the « password_attribute = userPassword » in my ldap 
module and put my password in md5/ssha etc... in openldap and it works. But I 
don't know very well why ??


modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
encryption_scheme = auto
auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
radwtmp = /var/log/radwtmp
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
challenge = Password: 
auth_type = PAP
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /usr/local/etc/raddb/certs/server.pem
certificate_file = /usr/local/etc/raddb/certs/server.pem
CA_file = /usr/local/etc/raddb/certs/ca.pem
private_key_password = whatever
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /usr/local/etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /usr/local/etc/raddb/certs/bootstrap
cache {
enable = no
lifetime = 24
max_entries = 255
}
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
with_ntdomain_hack = no
   }

De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org 
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
 De la part de Nicolas Goutte
Envoyé : mardi 19 mai 2009 14:45
À : FreeRadius users mailing list
Objet : Re: communication safe ssh - NAS - FreeRADIUS ?


Am 19.05.2009 um 14:14 schrieb François Mehault:


Hi,

I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I 
don't understand in my case and i would like to know if the communication 
between my cisco equipment and my FreeRadius  safe is. I have a secret shared 
between both. I understand that the communciation between freeradius and the 
client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS 
...
Someone can confirm me please if the communication is safe ? because I afraid 
to see in the file users my password in clear-text. Is it possible to use md5, 
ssha ... and how ?
For the compatibility, see 
http://deployingradius.com/documents/protocols/compatibility.html


Thanks,

Regards,


François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: communication safe ssh - NAS - FreeRADIUS ?

2009-05-19 Thread Ivan Kalik 
 I authenticate on cisco equipments via ssh/telnet. There is no supplicant,
 so I don't understand in my case and i would like to know if the
 communication between my cisco equipment and my FreeRadius  safe is. I
 have a secret shared between both. I understand that the communciation
 between freeradius and the client radius use the protocol Radius. But in
 my case there is no PEAP, EAP/TLS ...
 Someone can confirm me please if the communication is safe ? because I
 afraid to see in the file users my password in clear-text. Is it possible
 to use md5, ssha ... and how ?


Radius protocol *uses* md5 to encrypt password in the request.

http://www.ietf.org/rfc/rfc2865.txt

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: communication safe ssh - NAS - FreeRADIUS ?

2009-05-19 Thread Ivan Kalik 
 Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for
 example, and freeradius check the MD5 hash. So I understand I have to use
 PAP ?  In my modul ldap I think I have to put « password_attribute =
 userPassword ». But If I do, I have to put my password in clear in my
 ldap, otherwise it don't works.

Store password as {md5} and then encrypted value and enable auto header
detection in pap module (it's disabled by default):

   pap {
 encryption_scheme = auto
 auto_header = no
   }

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html