@lists.freeradius.org
Subject: Re: LDAP/MSCHAP
Andreas Rudat wrote:
> Am 12.11.2011 23:00, schrieb Sven Hartge:
>> This also means you have to protect those Hashes inside your database
>> like a raw cleartext password, as you can authenticate to any Windows
>> box with the knowle
Andreas Rudat wrote:
> Am 12.11.2011 23:00, schrieb Sven Hartge:
>> This also means you have to protect those Hashes inside your database
>> like a raw cleartext password, as you can authenticate to any Windows
>> box with the knowledge of the NT/LM-Hash.
>>
>> This has been exploitet by several
Am 12.11.2011 23:00, schrieb Sven Hartge:
> Sven Hartge wrote:
>> Andreas Rudat wrote:
>>> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha:
On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote:
> I agree with Jake, in that I *think* it would be possible to have a
> plugin or whatever in
Sven Hartge wrote:
> Andreas Rudat wrote:
>> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha:
>>> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote:
I agree with Jake, in that I *think* it would be possible to have a
plugin or whatever interface with LDAP/AD in the same manner
ntl
Andreas Rudat wrote:
> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha:
>> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote:
>>> I agree with Jake, in that I *think* it would be possible to have a
>>> plugin or whatever interface with LDAP/AD in the same manner
>>> ntlm_auth does. I don't think
On 11/12/2011 06:43 PM, Andreas Rudat wrote:
But if that works, why then all are saying that you can just work with
plaintext? Its realy confusing.
If you have the plaintext, you can generate any hash, and of course
perform any auth mechanism.
-
List info/subscribe/unsubscribe? See http://w
Am 11.11.2011 03:56, schrieb Fajar A. Nugraha:
> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote:
>> I agree with Jake, in that I *think* it would be possible to have a plugin
>> or whatever interface with LDAP/AD in the same manner ntlm_auth does. I
>> don't think one *needs* a cleartext pa
Gary Gatten wrote:
> I agree with Jake, in that I *think* it would be possible to have a plugin or
> whatever interface with LDAP/AD in the same manner ntlm_auth does.
It's possible to have a plugin, but there is no benefit. FreeRADIUS
already has an LDAP plugin.
The *only* reason for ntlm_
Whitlow, Michael wrote:
> I am really close to a successful Freeradius implementation for 802.1X
> wireless using LDAP authentication on the back end.
Are you sure the backend is LDAP, and not AD?
It it's AD, see my web page: http://deployingradius.com
It has complete instructions for con
On 11/11/2011 01:29 AM, Gary Gatten wrote:
I agree with Jake, in that I *think* it would be possible to have a
plugin or whatever interface with LDAP/AD in the same manner
ntlm_auth does. I don't think one *needs* a cleartext password, but
To quote from the other email I just sent:
"""
People
On 11/10/2011 11:36 PM, Sallee, Stephen (Jake) wrote:
Please forgive the interjection, but does anyone know of a helper
module like ntlm_auth that would work with LDAP, seems like such a
tool would make questions like this a non-issue.
MSCHAP is a challenge-response mechanism. To execute the cr
On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote:
> I agree with Jake, in that I *think* it would be possible to have a plugin or
> whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't
> think one *needs* a cleartext password, but does need some way to compare
> apples-
dius-users@lists.freeradius.org
Subject: Re: LDAP/MSCHAP
"Sallee, Stephen (Jake)" wrote:
> Please forgive the interjection, but does anyone know of a helper
> module like ntlm_auth that would work with LDAP, seems like such a
> tool would make questions like this a non-i
"Sallee, Stephen (Jake)" wrote:
> Please forgive the interjection, but does anyone know of a helper
> module like ntlm_auth that would work with LDAP, seems like such a
> tool would make questions like this a non-issue.
No, will not work. You can't transform the normally used hashes back
into a
: freeradius-users@lists.freeradius.org
Subject: Re: LDAP/MSCHAP
Whitlow, Michael wrote:
> I am really close to a successful Freeradius implementation for 802.1X
> wireless using LDAP authentication on the back end.
Nope, you are not very close.
You _cannot_ use any LDAP authentication (via b
Whitlow, Michael wrote:
> I am really close to a successful Freeradius implementation for 802.1X
> wireless using LDAP authentication on the back end.
Nope, you are not very close.
You _cannot_ use any LDAP authentication (via binding with a DN to the
LDAP server) with any CHAP authentication.
Hi,
>[mschap] No Cleartext-Password configured. Cannot create LM-Password.
>[mschap] No Cleartext-Password configured. Cannot create NT-Password.
store your passwords in the LDAP as NT-Password or LM-Password
hashes. this then allows the PEAP/MSCHAPv2 method of EAP to work.
alan
-
Lis
> Also any ideas as to how I may insert the variable from perl would be
> nice.
Read rlm_perl documentation.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, 2009 11:03 AM
To: FreeRadius users mailing list
Subject: Re: LDAP MSCHAP error
Larry Ross wrote:
> LOL, K. Just found it interesting that with so little data you were able to
> devine our schema. The problem here is our LDAP tree will not or cannot
> change (political reasons... L
: FreeRadius users mailing list
Subject: Re: LDAP MSCHAP error
Larry Ross wrote:
> LOL, K. Just found it interesting that with so little data you were able to
> devine our schema. The problem here is our LDAP tree will not or cannot
> change (political reasons... Long story sucks for me, bu
Larry Ross wrote:
> LOL, K. Just found it interesting that with so little data you were able to
> devine our schema. The problem here is our LDAP tree will not or cannot
> change (political reasons... Long story sucks for me, but as they say wish in
> one hand and poop in the other, get back t
iling list
Subject: Re: LDAP MSCHAP error
Larry Ross wrote:
> Hmm interesting, how were you able to divine that that is how we are storing
> the has values...
C programming 101.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List inf
I don't want to receive any email form freeradius-users@lists.freeradius.org .
plss
--- On Fri, 8/21/09, Alan DeKok wrote:
From: Alan DeKok
Subject: Re: LDAP MSCHAP error
To: "FreeRadius users mailing list"
Date: Friday, August 21, 2009, 11:35 PM
Larry Ross wrote:
> Hm
Larry Ross wrote:
> Hmm interesting, how were you able to divine that that is how we are storing
> the has values...
C programming 101.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sent: Thursday, August 20, 2009 11:59 PM
To: FreeRadius users mailing list
Subject: Re: LDAP MSCHAP error
Larry Ross wrote:
> It appears though that there may be a bug in the string copy function of
> the rlm_ldap function (or whatever is responsible for copying the
> attributes from LDAP
Larry Ross wrote:
> It appears though that there may be a bug in the string copy function of
> the rlm_ldap function (or whatever is responsible for copying the
> attributes from LDAP to Server core for MSCHAP challenge compare) We
> noticed the truncation upon "00" and "3d" in the NT-Password ha
Great - thanks,
Absolutely outstanding help thanks! :)
I hashed from ldap.attrmap as below
#checkItem LM-Password sambaLmPassword
#checkItem NT-Password sambaNtPassword
And it all worked! :)
Thanks very much!
Simon
>>> <[EMAIL PROTECTED]> 12/11/20
>[ldap] Added the eDirectory password password in check items as
>Cleartext-Password
OK. Here is the clear text password.
>[ldap] No default NMAS login sequence
>[ldap] looking for check items in directory...
>rlm_ldap: acctFlags -> SMB-Account-CTRL-TEXT == "[UX ]"
>rlm_ldap: sambaNtPassw
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on
Nov 10 2008 at 13:18:51
Copyright (C) 1999-2008 The FreeRADIUS server project and
contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS und
>>>pap against LDAP works fine
>>>chap against LDAP works fine (With ntradping)
>>
>>They used different password.
>
>Do you mean chap and MSCHAPv2 require passwords in different formats or
>something?
No. There is a clear text password stored somewhere.
>I can auth CHAP, but with the same userna
>>pap against LDAP works fine
>>chap against LDAP works fine (With ntradping)
>
>They used different password.
Do you mean chap and MSCHAPv2 require passwords in different formats or
something?
I can auth CHAP, but with the same username and password can't auth
CHAPv2
(with no config change on fre
>We are trying to set up freeRADIUS 2.1.1 against eDirectory LDAP and
>getting problems.
>(Trying SLES 10 SP2 32bit and 64 bit)
>pap against LDAP works fine
>chap against LDAP works fine (With ntradping)
They used different password.
>BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect"
32 matches
Mail list logo