-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi!
Christopher Price wrote: > I am running freeradius 1.0.0 and I am attempting to configure an LDAP > backend DB to authenticate Windows users. The Windows users are using > PEAP with MSCHAPv2. Earlier I got the LDAP authentication working with > clear passwords, but now that the passwords are being hashed. I know > that LDAP stores cleartext passwords, but their must be some way to make > this work. Any help would be appreciated. > I have similar requirements and I have a working setup for that. I have to admit that it took me several days to figure out a working configuration. I found some documentation and lots of websites and mail-archives, but for the most part they seem either outdated, they contradict each other or they talk about different things... :-( So here's my current knowledge about MSCHAPv2+PPTP+RADIUS+LDAP I hope it is helpful... 1.) We have a Linux NAS running the poptop pptp daemon (v1.1.3) and ppp 2.4.2 with support for mppe and mschapv2. There is also the ppp radius plugin installed. The relevant configuration entries for PPP are in file /etc/ppp/options.pptp and look like this: refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe plugin radius.so The PPP radius plugin is configured in file /etc/radiusclient/radiusclient.conf to use the internal AAA server (attributes "authserver", "actserver", etc. - this should be quite straighforward 2.) The internal AAA server is running freeradius-1.0.0 and openldap-2.2.17 under linux. This is the hairy part! 2.1) First, the OpenLDAP server is set up to act as a central database for all user authorization and accounting in the whole network. It hosts the whole stuff for POSIX accounts, samba Accounts, Mailserver and so on. All linux clients and services are using this system either via PAM (like openssh), PAM via saslauthd (like cyrus imapd) or directly (like samba). IMHO it is most important to have this working first. You have to have some way to store your sambe NT and LM passwords in your LDAP tree! I use samba 3.x so I have the new samba LDAP schema loaded into openldap (this is important to know, because attribute names have changed!) We have also some Web-GUI installed to be able to modify the LDAP database in some easy way (we use phpldapadmin) 2.2) The FreeRADIUS server ist set up to support MSCHAPv2 authentication. This is not trivial and requires some fiddling. 2.2.1) I changed ldap.attrmap to support the new samba LDAP schema: checkItem LM-Password sambaLmPassword checkItem NT-Password sambaNtPassword 2.2.2) in radiusd.conf I have the mschap and ldap modules configured as follows: mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } ldap { server = "ldap.example.com" identity = "cn=admin,ou=accounts,dc=example,dc=com" password = mysecretpwd basedn = "ou=accounts,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 password_attribute = sambaNTPassword timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no } 2.2.3) in radiusd.conf I have the authorized and authenticate sections configured as follows: authorize { preprocess auth_log suffix files ldap mschap } authenticate { mschap } IMHO there are two important parts here: a) in the authorize section I have the "ldap" module and the "mschap" module following immediately b) in the "authenticate" section there is only the "mschap" module listed. With this setup, a successful PPTP VPN login from a Windows 2000 client looks as follows (from the freeradius point of view): [...] Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host nnn.nnn.nnn.3:32770, id=118, length=131 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "max" MS-CHAP-Challenge = 0xde65622e5ee33d76564050f066c5ed08 MS-CHAP2-Response = 0x42007abfccafd6a8ad3f81ac09c888027cf600000000000000007ddcd3d388abc667d87b8920cc9d6e2c6f70ef5396e35841 NAS-IP-Address = nnn.nnn.nnn.3 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/var/log/radius/radacct/nnn.nnn.nnn.3/auth-detail-20041005' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/nnn.nnn.nnn.3/auth-detail-20041005 modcall[authorize]: module "auth_log" returns ok for request 1 rlm_realm: No '@' in User-Name = "max", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched DEFAULT at 171 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for max radius_xlat: '(uid=max)' radius_xlat: 'ou=accounts,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.example.com:389, authentication 0 rlm_ldap: bind as cn=admin,ou=accounts,dc=example,dc=com/secret to ldap.example.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=accounts,dc=example,dc=com, with filter (uid=max) rlm_ldap: Added password 24EDEF64E1422D57F5262279E125255B in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaNtPassword as NT-Password, value 24EDEF64E1422D57F5262279E125255B & op=21 rlm_ldap: Adding sambaLmPassword as LM-Password, value 29DF1C8D827B3E35AAD3B435B51404EE & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user max authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for max with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 1 modcall: group authenticate returns ok for request 1 Sending Access-Accept of id 118 to nnn.nnn.nnn.3:32770 Framed-MTU = 576 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User MS-CHAP2-Success = 0x42533d39414442394242333437433343423433413839414134373545433246353636433134443038313434 MS-MPPE-Recv-Key = 0xf08c84806286f62c245e36db54c9f5d4 MS-MPPE-Send-Key = 0xed74ac5f84b98121e71253d36ab7d87a MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Finished request 1 [...] As far as I can tell this works quite fine. If anyone wants to comment this setup or has some tips and improvements I would be happy to hear. Perhaps we can collect all the information and write an up-to-date HOWTO for this kind of application. Fact is, I still have some loose ends which I want to solve. 1.) Most important: I still do not really understand all the configuration details of freeradius. There are still lots of mystic configuration attributes and I don't know if I need all of them or not. This makes me nervous 2.) I want to have the VPN users in several different access groups. I currently do not know how to set up this in a elegant way. Any comments are welcome! - - andreas - -- Andreas Haumer | mailto:[EMAIL PROTECTED] *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYprXxJmyeGcXPhERAqeaAJ4xgtUOck2+c5Ax2yxgeVaE9PsftgCeJtlC a9B09NSjun+oo6XUTG9ATQA= =hoNN -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html