RE: [WIRELESS-LAN] 802.1x authentication using LDAP
Hi All, First off, thanks. I've gotten many responses from my original posting and that's been great. I am still finding it quite difficult to get this setup, so I was hoping that someone with the same/similar environment as myself might shed some light on how to configure things. I'd like to allow for windows clients to authenticate via 802.1x using Freeradius and with their user credentials stored in cleartext on an LDAP directory. Is anyone doing this setup? If so, I'm hoping to learn how you've set it up. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Emerson Parker [mailto:[EMAIL PROTECTED] Sent: July 11, 2006 6:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP I've actually gotten an 802.1x eap client to auth against LDAP. It's not fun. You CANT use normal PEAP on the MSFT client because the credentials are passed via MSCHAPv2 in the PEAP tunnel. LDAP cant read MSCHAPv2. The Funk/juniper odyssey client has a way of doing PEAP-GTC (generic Token Card). Basically, the credentials are not encrypted inside the tunnel. This is for using secureID tokens and such. You can take advantage of GTC's unencrypted user/password to then proxy the credentials over to an LDAP server. Of course, EAP requires some sort or RADIUS server to terminate the 802.1x EAP-PEAP outer tunnel and then it must be able to query an LDAP server with the clear text stuff. Some wireless vendors integrate this RADIUS offload or terminate the PEAP tunnel and then directly query LDAP. This eliminates the need for an external RADIUS server. -Emerson -Original Message- From: Mark Linton [mailto:[EMAIL PROTECTED] Sent: Tue 7/11/2006 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP From what I can tell, the only way to deal with plaintext passwords stored in LDAP and still have username/password authentication is to go with EAP-TTLS and use the secure2 client. But I just saw the post by Tom Zeller and he's saying the hashed password does NOT go over the network with MS-CHAP. So I'm starting to get a bit confused. Some background might help clarify here. The phrase EAP-TTLS, while being the correct name for the EAP type, does not fully qualify the implementation. TTLS is Tunneled TLS. TLS being Transport Layer Security, which by itself creates a tunnel. So we have two tunnels here. The one created by TLS -- sometimes called the outer tunnel -- and the unspecified inner tunnel. In the case of Tom Zeller's message, earlier, the inner tunnel was formed by MS-CHAPv2. Some people write this as EAP-TTLS-MSCHAPv2. The clear-text password version of EAP-TTLS uses the Password Authentication Protocol (PAP) to form the inner tunnel. Some people write this as EAP-TTLS-PAP. So, Tom was correct in the context of Tom's discussion, and the people talking about username/password authentication were also correct. They were simply assuming different implementations of EAP-TTLS. Both are perfectly valid and each has their pros and cons. Sincerely, Mark Linton [EMAIL PROTECTED] www.personal.psu.edu/mhl100 814-865-4698 -Original Message- From: Matt Ashfield [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 1:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP Hi All, Thanks for all the responses. It's great to be part of a useful mailing list like this! Just to clarify a few things: our passwords are stored in cleartext on the ldap server. We are using SunOne for LDAP and FreeRadius for radius. We have no desire to have individual client certificates and would prefer to do username/password against the LDAP server. From what I can tell, the only way to deal with plaintext passwords stored in LDAP and still have username/password authentication is to go with EAP-TTLS and use the secure2 client. But I just saw the post by Tom Zeller and he's saying the hashed password does NOT go over the network with MS-CHAP. So I'm starting to get a bit confused. Any thoughts? Does anyone here have this same situation and have it working? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: July 7, 2006 4:24 PM To: [EMAIL PROTECTED] Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP Hey, Matt, This setup is actually almost identical to what we're doing here at UT Dallas. As is commonly seen on the FreeRADIUS mailing lists, I think you may be confusing how to use PEAP with LDAP a little. In order to use PEAP with LDAP, you don't use LDAP authentication in FreeRADIUS. You have to store either a cleartext password or an NTLMv2 password hash in your LDAP directory for each of your users. Be sure if you do this to set appropriate ACLs on the attribute
RE: [WIRELESS-LAN] 802.1x authentication using LDAP
Might be best to ask the freeradius folks. List archives at http://lists.freeradius.org/pipermail/freeradius-users/ Join up at: http://lists.freeradius.org/mailman/listinfo/freeradius-users I'd help but we're using freeradius agains eDirectory and the passwords aren't in cleartext. Mearl Danner Systems Programmer Samford University http://www.samford.edu -Original Message- From: Matt Ashfield [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 12, 2006 11:41 AM To: Danner, Mearl; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP Hi All, First off, thanks. I've gotten many responses from my original posting and that's been great. I am still finding it quite difficult to get this setup, so I was hoping that someone with the same/similar environment as myself might shed some light on how to configure things. I'd like to allow for windows clients to authenticate via 802.1x using Freeradius and with their user credentials stored in cleartext on an LDAP directory. Is anyone doing this setup? If so, I'm hoping to learn how you've set it up. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Emerson Parker [mailto:[EMAIL PROTECTED] Sent: July 11, 2006 6:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP I've actually gotten an 802.1x eap client to auth against LDAP. It's not fun. You CANT use normal PEAP on the MSFT client because the credentials are passed via MSCHAPv2 in the PEAP tunnel. LDAP cant read MSCHAPv2. The Funk/juniper odyssey client has a way of doing PEAP-GTC (generic Token Card). Basically, the credentials are not encrypted inside the tunnel. This is for using secureID tokens and such. You can take advantage of GTC's unencrypted user/password to then proxy the credentials over to an LDAP server. Of course, EAP requires some sort or RADIUS server to terminate the 802.1x EAP-PEAP outer tunnel and then it must be able to query an LDAP server with the clear text stuff. Some wireless vendors integrate this RADIUS offload or terminate the PEAP tunnel and then directly query LDAP. This eliminates the need for an external RADIUS server. -Emerson -Original Message- From: Mark Linton [mailto:[EMAIL PROTECTED] Sent: Tue 7/11/2006 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP From what I can tell, the only way to deal with plaintext passwords stored in LDAP and still have username/password authentication is to go with EAP-TTLS and use the secure2 client. But I just saw the post by Tom Zeller and he's saying the hashed password does NOT go over the network with MS-CHAP. So I'm starting to get a bit confused. Some background might help clarify here. The phrase EAP-TTLS, while being the correct name for the EAP type, does not fully qualify the implementation. TTLS is Tunneled TLS. TLS being Transport Layer Security, which by itself creates a tunnel. So we have two tunnels here. The one created by TLS -- sometimes called the outer tunnel -- and the unspecified inner tunnel. In the case of Tom Zeller's message, earlier, the inner tunnel was formed by MS-CHAPv2. Some people write this as EAP-TTLS-MSCHAPv2. The clear-text password version of EAP-TTLS uses the Password Authentication Protocol (PAP) to form the inner tunnel. Some people write this as EAP-TTLS-PAP. So, Tom was correct in the context of Tom's discussion, and the people talking about username/password authentication were also correct. They were simply assuming different implementations of EAP-TTLS. Both are perfectly valid and each has their pros and cons. Sincerely, Mark Linton [EMAIL PROTECTED] www.personal.psu.edu/mhl100 814-865-4698 -Original Message- From: Matt Ashfield [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 1:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP Hi All, Thanks for all the responses. It's great to be part of a useful mailing list like this! Just to clarify a few things: our passwords are stored in cleartext on the ldap server. We are using SunOne for LDAP and FreeRadius for radius. We have no desire to have individual client certificates and would prefer to do username/password against the LDAP server. From what I can tell, the only way to deal with plaintext passwords stored in LDAP and still have username/password authentication is to go with EAP-TTLS and use the secure2 client. But I just saw the post by Tom Zeller and he's saying the hashed password does NOT go over the network with MS-CHAP. So I'm starting to get a bit confused. Any thoughts? Does anyone here have this same situation and have it working? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: July 7, 2006 4:24 PM To: [EMAIL