RE: [WIRELESS-LAN] 802.1x authentication using LDAP
Hi Matt. I'm going to answer your questions, and also point out something you've missed. You are using PEAP (if your are using the XP Client, you are using PEAP) To tell PEAP not to use your logon creditialas, but to prompt for it, you have to uncheck something that is buried 3 menu's deep. See here for directions: http://www.informit.com/guides/content.asp?g=security&seqNum=74&rl=1 See figure 7 for details BUT I don't think this will work for you. (I'm making some assumptions about your network that could prove me wrong) I assume you have Active Directory, with freeradius querying this via LDAP? If it is, this setup won't work for you. ActiveDirectory, in the usual Microsoft methodailty, embraces standards, and extends them with proprietary extensions. What does this mean? It means by default you can't get passwords out of AD. You could store passwords in plaintext. (Bad idea) You need to setup FreeRadius using the ntlm_auth helper program. You install Samba on the FreeRadius Box, join it to the domain, and configure freeradius to perform Auth's via ntlm_auth. Then freeRadius will have no problem talking to ActiveDirectory. You can still use the LDAP module to assign attributes. (This was on the freeradius mailing list last week) Hope this helped. -Original Message- From: Matt Ashfield [mailto:[EMAIL PROTECTED] Sent: Friday, July 07, 2006 2:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x authentication using LDAP Hi All I'm trying to configure 802.1x wireless authentication using credentials stored in LDAP. I am running FreeRadius and SunOne ldap server. The Radius server is correctly doing authentication attempts to the LDAP server (I issue the "radtest" command with a username/passwd from LDAP and I get an authenticate-accept back). The next step is setting up an XP client to talk to an Access Point, which is configured to authenticate via the Raidus server, via LDAP. So far, in my minimal testing, I've seen the client try to connect using it's Windows credentials rather than giving the user a chance to enter a username/password. I'm sure others out there are doing this. I'm just wondering what you're using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms straight first and go from there. >From what I can tell PEAP will require my users to install a certificate. We'd much rather prefer them to have to enter their LDAP usernames and passwords. Any advice is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x authentication using LDAP
Matt, Since you are not in a Active Directory environment, it will require a lot of "gymanstics" to make EAP-PEAP work Windows. If you want to do testing, load the client from SecureW2, it works very well in a Free-Radius/LDAP environment. get the client at www.securew2.com, it's free and open-source (Thanks to the Dutchmen) You can see some of our installation instructions at http://wireless.utk.edu/1x/ Just skip the certificate installation in our instructions. Philippe Hanset University of Tennessee On Fri, 7 Jul 2006, Matt Ashfield wrote: > Hi All > > I'm trying to configure 802.1x wireless authentication using credentials > stored in LDAP. > > I am running FreeRadius and SunOne ldap server. The Radius server is > correctly doing authentication attempts to the LDAP server (I issue the > "radtest" command with a username/passwd from LDAP and I get an > authenticate-accept back). > > The next step is setting up an XP client to talk to an Access Point, which > is configured to authenticate via the Raidus server, via LDAP. So far, in my > minimal testing, I've seen the client try to connect using it's Windows > credentials rather than giving the user a chance to enter a > username/password. > > I'm sure others out there are doing this. I'm just wondering what you're > using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms straight > first and go from there. > > From what I can tell PEAP will require my users to install a certificate. > We'd much rather prefer them to have to enter their LDAP usernames and > passwords. > > Any advice is appreciated. > > Thanks > > > Matt Ashfield > [EMAIL PROTECTED] > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x authentication using LDAP
Hey, Matt, This setup is actually almost identical to what we're doing here at UT Dallas. As is commonly seen on the FreeRADIUS mailing lists, I think you may be confusing how to use PEAP with LDAP a little. In order to use PEAP with LDAP, you don't use LDAP "authentication" in FreeRADIUS. You have to store either a cleartext password or an NTLMv2 password hash in your LDAP directory for each of your users. Be sure if you do this to set appropriate ACLs on the attribute containing the password/hash so that only the RADIUS connect profile can get to that attribute. In any case, once you've done this, the LDAP module goes in your authorize section in FR so that it can pull the password or hash out and use it to perform the authentication itself using the mschap module. Also, for PEAP, you only need a certificate for your RADIUS servers to authenticate the network to the users. Your users don't need personal certificates as they would using EAP-TLS. If you purchase a commercial certificate from one of the CAs included by default in your client OSes, then you don't have to install anything on the clients and just have to configure them for access. These links might be useful for you: UTD's 802.1x setup instructions for Windows XP: http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.html I actually gave an Educause Live presentation on UTD's 802.1x deployment. Its archived here: http://www.educause.edu/LIVE058 Hope that helps! --Mike On Jul 7, 2006, at 1:50 PM, Matt Ashfield wrote: Hi All I'm trying to configure 802.1x wireless authentication using credentials stored in LDAP. I am running FreeRadius and SunOne ldap server. The Radius server is correctly doing authentication attempts to the LDAP server (I issue the "radtest" command with a username/passwd from LDAP and I get an authenticate-accept back). The next step is setting up an XP client to talk to an Access Point, which is configured to authenticate via the Raidus server, via LDAP. So far, in my minimal testing, I've seen the client try to connect using it's Windows credentials rather than giving the user a chance to enter a username/password. I'm sure others out there are doing this. I'm just wondering what you're using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms straight first and go from there. From what I can tell PEAP will require my users to install a certificate. We'd much rather prefer them to have to enter their LDAP usernames and passwords. Any advice is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
RE: [WIRELESS-LAN] 802.1x authentication using LDAP
-Original Message- On Fri, 7 Jul 2006, Matt Ashfield wrote: > I am running FreeRadius and SunOne ldap server. Whoops, missed that part. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x authentication using LDAP
Hi All, Thanks for all the responses. It's great to be part of a useful mailing list like this! Just to clarify a few things: our passwords are stored in cleartext on the ldap server. We are using SunOne for LDAP and FreeRadius for radius. We have no desire to have individual client certificates and would prefer to do username/password against the LDAP server. >From what I can tell, the only way to deal with plaintext passwords stored in LDAP and still have username/password authentication is to go with EAP-TTLS and use the secure2 client. But I just saw the post by Tom Zeller and he's saying the hashed password does NOT go over the network with MS-CHAP. So I'm starting to get a bit confused. Any thoughts? Does anyone here have this same situation and have it working? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: July 7, 2006 4:24 PM To: [EMAIL PROTECTED] Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP Hey, Matt, This setup is actually almost identical to what we're doing here at UT Dallas. As is commonly seen on the FreeRADIUS mailing lists, I think you may be confusing how to use PEAP with LDAP a little. In order to use PEAP with LDAP, you don't use LDAP "authentication" in FreeRADIUS. You have to store either a cleartext password or an NTLMv2 password hash in your LDAP directory for each of your users. Be sure if you do this to set appropriate ACLs on the attribute containing the password/hash so that only the RADIUS connect profile can get to that attribute. In any case, once you've done this, the LDAP module goes in your authorize section in FR so that it can pull the password or hash out and use it to perform the authentication itself using the mschap module. Also, for PEAP, you only need a certificate for your RADIUS servers to authenticate the network to the users. Your users don't need personal certificates as they would using EAP-TLS. If you purchase a commercial certificate from one of the CAs included by default in your client OSes, then you don't have to install anything on the clients and just have to configure them for access. These links might be useful for you: UTD's 802.1x setup instructions for Windows XP: http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.html I actually gave an Educause Live presentation on UTD's 802.1x deployment. Its archived here: http://www.educause.edu/LIVE058 Hope that helps! --Mike On Jul 7, 2006, at 1:50 PM, Matt Ashfield wrote: > Hi All > > I'm trying to configure 802.1x wireless authentication using > credentials > stored in LDAP. > > I am running FreeRadius and SunOne ldap server. The Radius server is > correctly doing authentication attempts to the LDAP server (I issue > the > "radtest" command with a username/passwd from LDAP and I get an > authenticate-accept back). > > The next step is setting up an XP client to talk to an Access > Point, which > is configured to authenticate via the Raidus server, via LDAP. So > far, in my > minimal testing, I've seen the client try to connect using it's > Windows > credentials rather than giving the user a chance to enter a > username/password. > > I'm sure others out there are doing this. I'm just wondering what > you're > using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms > straight > first and go from there. > > From what I can tell PEAP will require my users to install a > certificate. > We'd much rather prefer them to have to enter their LDAP usernames and > passwords. > > Any advice is appreciated. > > Thanks > > > Matt Ashfield > [EMAIL PROTECTED] > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http:// > www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x authentication using LDAP
If you indeed have an unhashed cleartext password stored in your directory, then you can, by all means, do PEAP. The profile that FreeRADIUS uses to authenticate to the directory will need to have access to the hash attribute so that it can pull the password and use it to do the necessary hashing inside its own code. --Mike On Jul 10, 2006, at 12:53 PM, Matt Ashfield wrote: Hi All, Thanks for all the responses. It's great to be part of a useful mailing list like this! Just to clarify a few things: our passwords are stored in cleartext on the ldap server. We are using SunOne for LDAP and FreeRadius for radius. We have no desire to have individual client certificates and would prefer to do username/password against the LDAP server. From what I can tell, the only way to deal with plaintext passwords stored in LDAP and still have username/password authentication is to go with EAP-TTLS and use the secure2 client. But I just saw the post by Tom Zeller and he's saying the hashed password does NOT go over the network with MS-CHAP. So I'm starting to get a bit confused. Any thoughts? Does anyone here have this same situation and have it working? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: July 7, 2006 4:24 PM To: [EMAIL PROTECTED] Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP Hey, Matt, This setup is actually almost identical to what we're doing here at UT Dallas. As is commonly seen on the FreeRADIUS mailing lists, I think you may be confusing how to use PEAP with LDAP a little. In order to use PEAP with LDAP, you don't use LDAP "authentication" in FreeRADIUS. You have to store either a cleartext password or an NTLMv2 password hash in your LDAP directory for each of your users. Be sure if you do this to set appropriate ACLs on the attribute containing the password/hash so that only the RADIUS connect profile can get to that attribute. In any case, once you've done this, the LDAP module goes in your authorize section in FR so that it can pull the password or hash out and use it to perform the authentication itself using the mschap module. Also, for PEAP, you only need a certificate for your RADIUS servers to authenticate the network to the users. Your users don't need personal certificates as they would using EAP-TLS. If you purchase a commercial certificate from one of the CAs included by default in your client OSes, then you don't have to install anything on the clients and just have to configure them for access. These links might be useful for you: UTD's 802.1x setup instructions for Windows XP: http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.html I actually gave an Educause Live presentation on UTD's 802.1x deployment. Its archived here: http://www.educause.edu/LIVE058 Hope that helps! --Mike On Jul 7, 2006, at 1:50 PM, Matt Ashfield wrote: Hi All I'm trying to configure 802.1x wireless authentication using credentials stored in LDAP. I am running FreeRadius and SunOne ldap server. The Radius server is correctly doing authentication attempts to the LDAP server (I issue the "radtest" command with a username/passwd from LDAP and I get an authenticate-accept back). The next step is setting up an XP client to talk to an Access Point, which is configured to authenticate via the Raidus server, via LDAP. So far, in my minimal testing, I've seen the client try to connect using it's Windows credentials rather than giving the user a chance to enter a username/password. I'm sure others out there are doing this. I'm just wondering what you're using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms straight first and go from there. From what I can tell PEAP will require my users to install a certificate. We'd much rather prefer them to have to enter their LDAP usernames and passwords. Any advice is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] 802.1x authentication using LDAP
Matt, Let me clarify the certificate requirements for WPA/WPA2 Enterprise mode (802.1x) authentication. The following EAP-Types require a cert on the Authentication Server (RADIUS server): EAP-TLS, EAP-TTLS, EAP-PEAPv0 (Microsoft) and EAP-PEAPv1(Cisco). This is required to authenticate the Auth Server to the client. Only EAP-TLS requires client certs (PKI). EAP-TLS doesn't use usernames/passwords as the certs authenticate the client & Auth Server to each other. All of the other above EAP-Types use usernames/passwords (or hashes) to authenticate the client to the Auth Server. I put together a table of the various EAP-Types with their traits for a presentation I did at the ResNet Symposium. There is a PDF of the presentation available from the ResNet Symposium site if you are interested in it. >>-> Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] Original Message From: Matt Ashfield Date: 7/10/2006 1:53 PM Hi All, Thanks for all the responses. It's great to be part of a useful mailing list like this! Just to clarify a few things: our passwords are stored in cleartext on the ldap server. We are using SunOne for LDAP and FreeRadius for radius. We have no desire to have individual client certificates and would prefer to do username/password against the LDAP server. From what I can tell, the only way to deal with plaintext passwords stored in LDAP and still have username/password authentication is to go with EAP-TTLS and use the secure2 client. But I just saw the post by Tom Zeller and he's saying the hashed password does NOT go over the network with MS-CHAP. So I'm starting to get a bit confused. Any thoughts? Does anyone here have this same situation and have it working? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: July 7, 2006 4:24 PM To: [EMAIL PROTECTED] Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP Hey, Matt, This setup is actually almost identical to what we're doing here at UT Dallas. As is commonly seen on the FreeRADIUS mailing lists, I think you may be confusing how to use PEAP with LDAP a little. In order to use PEAP with LDAP, you don't use LDAP "authentication" in FreeRADIUS. You have to store either a cleartext password or an NTLMv2 password hash in your LDAP directory for each of your users. Be sure if you do this to set appropriate ACLs on the attribute containing the password/hash so that only the RADIUS connect profile can get to that attribute. In any case, once you've done this, the LDAP module goes in your authorize section in FR so that it can pull the password or hash out and use it to perform the authentication itself using the mschap module. Also, for PEAP, you only need a certificate for your RADIUS servers to authenticate the network to the users. Your users don't need personal certificates as they would using EAP-TLS. If you purchase a commercial certificate from one of the CAs included by default in your client OSes, then you don't have to install anything on the clients and just have to configure them for access. These links might be useful for you: UTD's 802.1x setup instructions for Windows XP: http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.html I actually gave an Educause Live presentation on UTD's 802.1x deployment. Its archived here: http://www.educause.edu/LIVE058 Hope that helps! --Mike On Jul 7, 2006, at 1:50 PM, Matt Ashfield wrote: Hi All I'm trying to configure 802.1x wireless authentication using credentials stored in LDAP. I am running FreeRadius and SunOne ldap server. The Radius server is correctly doing authentication attempts to the LDAP server (I issue the "radtest" command with a username/passwd from LDAP and I get an authenticate-accept back). The next step is setting up an XP client to talk to an Access Point, which is configured to authenticate via the Raidus server, via LDAP. So far, in my minimal testing, I've seen the client try to connect using it's Windows credentials rather than giving the user a chance to enter a username/password. I'm sure others out there are doing this. I'm just wondering what you're using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms straight first and go from there. From what I can tell PEAP will require my users to install a certificate. We'd much rather prefer them to have to enter their LDAP usernames and passwords. Any advice is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group dis
RE: [WIRELESS-LAN] 802.1x authentication using LDAP
> >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed password > does NOT go over the network with MS-CHAP. So I'm starting to get a bit > confused. Some background might help clarify here. The phrase "EAP-TTLS," while being the correct name for the EAP type, does not fully qualify the implementation. TTLS is "Tunneled TLS." TLS being "Transport Layer Security," which by itself creates a tunnel. So we have two tunnels here. The one created by TLS -- sometimes called the "outer" tunnel -- and the unspecified "inner" tunnel. In the case of Tom Zeller's message, earlier, the inner tunnel was formed by MS-CHAPv2. Some people write this as EAP-TTLS-MSCHAPv2. The "clear-text password" version of EAP-TTLS uses the "Password Authentication Protocol" (PAP) to form the inner tunnel. Some people write this as EAP-TTLS-PAP. So, Tom was correct in the context of Tom's discussion, and the people talking about username/password authentication were also correct. They were simply assuming different implementations of EAP-TTLS. Both are perfectly valid and each has their pros and cons. Sincerely, Mark Linton [EMAIL PROTECTED] www.personal.psu.edu/mhl100 814-865-4698 > -Original Message- > From: Matt Ashfield [mailto:[EMAIL PROTECTED] > Sent: Monday, July 10, 2006 1:53 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > > Hi All, > > Thanks for all the responses. It's great to be part of a useful mailing > list > like this! > > Just to clarify a few things: > our passwords are stored in cleartext on the ldap server. > We are using SunOne for LDAP and FreeRadius for radius. > We have no desire to have individual client certificates and would prefer > to > do username/password against the LDAP server. > > >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed password > does NOT go over the network with MS-CHAP. So I'm starting to get a bit > confused. > > Any thoughts? Does anyone here have this same situation and have it > working? > > Thanks > > Matt Ashfield > [EMAIL PROTECTED] > > > -Original Message- > From: Michael Griego [mailto:[EMAIL PROTECTED] > Sent: July 7, 2006 4:24 PM > To: [EMAIL PROTECTED] > Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > > Hey, Matt, > > This setup is actually almost identical to what we're doing here at > UT Dallas. > > As is commonly seen on the FreeRADIUS mailing lists, I think you may > be confusing how to use PEAP with LDAP a little. In order to use > PEAP with LDAP, you don't use LDAP "authentication" in FreeRADIUS. > You have to store either a cleartext password or an NTLMv2 password > hash in your LDAP directory for each of your users. Be sure if you > do this to set appropriate ACLs on the attribute containing the > password/hash so that only the RADIUS connect profile can get to that > attribute. In any case, once you've done this, the LDAP module goes > in your authorize section in FR so that it can pull the password or > hash out and use it to perform the authentication itself using the > mschap module. > > Also, for PEAP, you only need a certificate for your RADIUS servers > to authenticate the network to the users. Your users don't need > personal certificates as they would using EAP-TLS. If you purchase a > commercial certificate from one of the CAs included by default in > your client OSes, then you don't have to install anything on the > clients and just have to configure them for access. > > These links might be useful for you: > > UTD's 802.1x setup instructions for Windows XP: > http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.html > > I actually gave an Educause Live presentation on UTD's 802.1x > deployment. Its archived here: > http://www.educause.edu/LIVE058 > > Hope that helps! > > --Mike > > On Jul 7, 2006, at 1:50 PM, Matt Ashfield wrote: > > > Hi All > > > > I'm trying to configure 802.1x wireless authentication using > > credentials > > stored in LDAP. > > > > I am running FreeRadius and SunOne ldap server. The Radius
RE: [WIRELESS-LAN] 802.1x authentication using LDAP
I've actually gotten an 802.1x eap client to auth against LDAP. It's not fun. You CANT use normal PEAP on the MSFT client because the credentials are passed via MSCHAPv2 in the PEAP tunnel. LDAP cant read MSCHAPv2. The Funk/juniper odyssey client has a way of doing PEAP-GTC (generic Token Card). Basically, the credentials are not encrypted inside the tunnel. This is for using secureID tokens and such. You can take advantage of GTC's unencrypted user/password to then proxy the credentials over to an LDAP server. Of course, EAP requires some sort or RADIUS server to terminate the 802.1x EAP-PEAP outer tunnel and then it must be able to query an LDAP server with the clear text stuff. Some wireless vendors integrate this "RADIUS offload" or terminate the PEAP tunnel and then directly query LDAP. This eliminates the need for an "external" RADIUS server. -Emerson -Original Message- From: Mark Linton [mailto:[EMAIL PROTECTED] Sent: Tue 7/11/2006 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed password > does NOT go over the network with MS-CHAP. So I'm starting to get a bit > confused. Some background might help clarify here. The phrase "EAP-TTLS," while being the correct name for the EAP type, does not fully qualify the implementation. TTLS is "Tunneled TLS." TLS being "Transport Layer Security," which by itself creates a tunnel. So we have two tunnels here. The one created by TLS -- sometimes called the "outer" tunnel -- and the unspecified "inner" tunnel. In the case of Tom Zeller's message, earlier, the inner tunnel was formed by MS-CHAPv2. Some people write this as EAP-TTLS-MSCHAPv2. The "clear-text password" version of EAP-TTLS uses the "Password Authentication Protocol" (PAP) to form the inner tunnel. Some people write this as EAP-TTLS-PAP. So, Tom was correct in the context of Tom's discussion, and the people talking about username/password authentication were also correct. They were simply assuming different implementations of EAP-TTLS. Both are perfectly valid and each has their pros and cons. Sincerely, Mark Linton [EMAIL PROTECTED] www.personal.psu.edu/mhl100 814-865-4698 > -Original Message----- > From: Matt Ashfield [mailto:[EMAIL PROTECTED] > Sent: Monday, July 10, 2006 1:53 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > > Hi All, > > Thanks for all the responses. It's great to be part of a useful mailing > list > like this! > > Just to clarify a few things: > our passwords are stored in cleartext on the ldap server. > We are using SunOne for LDAP and FreeRadius for radius. > We have no desire to have individual client certificates and would prefer > to > do username/password against the LDAP server. > > >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed password > does NOT go over the network with MS-CHAP. So I'm starting to get a bit > confused. > > Any thoughts? Does anyone here have this same situation and have it > working? > > Thanks > > Matt Ashfield > [EMAIL PROTECTED] > > > -Original Message- > From: Michael Griego [mailto:[EMAIL PROTECTED] > Sent: July 7, 2006 4:24 PM > To: [EMAIL PROTECTED] > Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > > Hey, Matt, > > This setup is actually almost identical to what we're doing here at > UT Dallas. > > As is commonly seen on the FreeRADIUS mailing lists, I think you may > be confusing how to use PEAP with LDAP a little. In order to use > PEAP with LDAP, you don't use LDAP "authentication" in FreeRADIUS. > You have to store either a cleartext password or an NTLMv2 password > hash in your LDAP directory for each of your users. Be sure if you > do this to set appropriate ACLs on the attribute containing the > password/hash so that only the RADIUS connect profile can get to that > attribute. In any case, once you've done this, the LDAP module goes > in your authorize section in FR so that it can pull the password or > hash out and use it to perform the authentication itself u
RE: [WIRELESS-LAN] 802.1x authentication using LDAP
Hi All, First off, thanks. I've gotten many responses from my original posting and that's been great. I am still finding it quite difficult to get this setup, so I was hoping that someone with the same/similar environment as myself might shed some light on how to configure things. I'd like to allow for windows clients to authenticate via 802.1x using Freeradius and with their user credentials stored in cleartext on an LDAP directory. Is anyone doing this setup? If so, I'm hoping to learn how you've set it up. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Emerson Parker [mailto:[EMAIL PROTECTED] Sent: July 11, 2006 6:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP I've actually gotten an 802.1x eap client to auth against LDAP. It's not fun. You CANT use normal PEAP on the MSFT client because the credentials are passed via MSCHAPv2 in the PEAP tunnel. LDAP cant read MSCHAPv2. The Funk/juniper odyssey client has a way of doing PEAP-GTC (generic Token Card). Basically, the credentials are not encrypted inside the tunnel. This is for using secureID tokens and such. You can take advantage of GTC's unencrypted user/password to then proxy the credentials over to an LDAP server. Of course, EAP requires some sort or RADIUS server to terminate the 802.1x EAP-PEAP outer tunnel and then it must be able to query an LDAP server with the clear text stuff. Some wireless vendors integrate this "RADIUS offload" or terminate the PEAP tunnel and then directly query LDAP. This eliminates the need for an "external" RADIUS server. -Emerson -Original Message- From: Mark Linton [mailto:[EMAIL PROTECTED] Sent: Tue 7/11/2006 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed password > does NOT go over the network with MS-CHAP. So I'm starting to get a bit > confused. Some background might help clarify here. The phrase "EAP-TTLS," while being the correct name for the EAP type, does not fully qualify the implementation. TTLS is "Tunneled TLS." TLS being "Transport Layer Security," which by itself creates a tunnel. So we have two tunnels here. The one created by TLS -- sometimes called the "outer" tunnel -- and the unspecified "inner" tunnel. In the case of Tom Zeller's message, earlier, the inner tunnel was formed by MS-CHAPv2. Some people write this as EAP-TTLS-MSCHAPv2. The "clear-text password" version of EAP-TTLS uses the "Password Authentication Protocol" (PAP) to form the inner tunnel. Some people write this as EAP-TTLS-PAP. So, Tom was correct in the context of Tom's discussion, and the people talking about username/password authentication were also correct. They were simply assuming different implementations of EAP-TTLS. Both are perfectly valid and each has their pros and cons. Sincerely, Mark Linton [EMAIL PROTECTED] www.personal.psu.edu/mhl100 814-865-4698 > -----Original Message- > From: Matt Ashfield [mailto:[EMAIL PROTECTED] > Sent: Monday, July 10, 2006 1:53 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > > Hi All, > > Thanks for all the responses. It's great to be part of a useful mailing > list > like this! > > Just to clarify a few things: > our passwords are stored in cleartext on the ldap server. > We are using SunOne for LDAP and FreeRadius for radius. > We have no desire to have individual client certificates and would prefer > to > do username/password against the LDAP server. > > >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed password > does NOT go over the network with MS-CHAP. So I'm starting to get a bit > confused. > > Any thoughts? Does anyone here have this same situation and have it > working? > > Thanks > > Matt Ashfield > [EMAIL PROTECTED] > > > -Original Message- > From: Michael Griego [mailto:[EMAIL PROTECTED] > Sent: July 7, 2006 4:24 PM > To: [EMAIL PROTECTED] > Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > > Hey, Matt, > > This setup is actually almost identical to what we're doing he
RE: [WIRELESS-LAN] 802.1x authentication using LDAP
Might be best to ask the freeradius folks. List archives at http://lists.freeradius.org/pipermail/freeradius-users/ Join up at: http://lists.freeradius.org/mailman/listinfo/freeradius-users I'd help but we're using freeradius agains eDirectory and the passwords aren't in cleartext. Mearl Danner Systems Programmer Samford University http://www.samford.edu -Original Message- From: Matt Ashfield [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 12, 2006 11:41 AM To: Danner, Mearl; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP Hi All, First off, thanks. I've gotten many responses from my original posting and that's been great. I am still finding it quite difficult to get this setup, so I was hoping that someone with the same/similar environment as myself might shed some light on how to configure things. I'd like to allow for windows clients to authenticate via 802.1x using Freeradius and with their user credentials stored in cleartext on an LDAP directory. Is anyone doing this setup? If so, I'm hoping to learn how you've set it up. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Emerson Parker [mailto:[EMAIL PROTECTED] Sent: July 11, 2006 6:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP I've actually gotten an 802.1x eap client to auth against LDAP. It's not fun. You CANT use normal PEAP on the MSFT client because the credentials are passed via MSCHAPv2 in the PEAP tunnel. LDAP cant read MSCHAPv2. The Funk/juniper odyssey client has a way of doing PEAP-GTC (generic Token Card). Basically, the credentials are not encrypted inside the tunnel. This is for using secureID tokens and such. You can take advantage of GTC's unencrypted user/password to then proxy the credentials over to an LDAP server. Of course, EAP requires some sort or RADIUS server to terminate the 802.1x EAP-PEAP outer tunnel and then it must be able to query an LDAP server with the clear text stuff. Some wireless vendors integrate this "RADIUS offload" or terminate the PEAP tunnel and then directly query LDAP. This eliminates the need for an "external" RADIUS server. -Emerson -Original Message- From: Mark Linton [mailto:[EMAIL PROTECTED] Sent: Tue 7/11/2006 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed > password does NOT go over the network with MS-CHAP. So I'm starting to > get a bit confused. Some background might help clarify here. The phrase "EAP-TTLS," while being the correct name for the EAP type, does not fully qualify the implementation. TTLS is "Tunneled TLS." TLS being "Transport Layer Security," which by itself creates a tunnel. So we have two tunnels here. The one created by TLS -- sometimes called the "outer" tunnel -- and the unspecified "inner" tunnel. In the case of Tom Zeller's message, earlier, the inner tunnel was formed by MS-CHAPv2. Some people write this as EAP-TTLS-MSCHAPv2. The "clear-text password" version of EAP-TTLS uses the "Password Authentication Protocol" (PAP) to form the inner tunnel. Some people write this as EAP-TTLS-PAP. So, Tom was correct in the context of Tom's discussion, and the people talking about username/password authentication were also correct. They were simply assuming different implementations of EAP-TTLS. Both are perfectly valid and each has their pros and cons. Sincerely, Mark Linton [EMAIL PROTECTED] www.personal.psu.edu/mhl100 814-865-4698 > -Original Message- > From: Matt Ashfield [mailto:[EMAIL PROTECTED] > Sent: Monday, July 10, 2006 1:53 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > > Hi All, > > Thanks for all the responses. It's great to be part of a useful > mailing list like this! > > Just to clarify a few things: > our passwords are stored in cleartext on the ldap server. > We are using SunOne for LDAP and FreeRadius for radius. > We have no desire to have individual client certificates and would > prefer to do username/password against the LDAP server. > > >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed > password does NOT