-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
Christopher Price wrote:
> I am running freeradius 1.0.0 and I am attempting to configure an LDAP
> backend DB to authenticate Windows users. The Windows users are using
> PEAP with MSCHAPv2. Earlier I got the LDAP authentication working with
> clear passwords, but now that the passwords are being hashed. I know
> that LDAP stores cleartext passwords, but their must be some way to make
> this work. Any help would be appreciated.
>
I have similar requirements and I have a working setup for
that. I have to admit that it took me several days to figure
out a working configuration. I found some documentation and
lots of websites and mail-archives, but for the most part they
seem either outdated, they contradict each other or they
talk about different things... :-(
So here's my current knowledge about MSCHAPv2+PPTP+RADIUS+LDAP
I hope it is helpful...
1.) We have a Linux NAS running the poptop pptp daemon (v1.1.3)
and ppp 2.4.2 with support for mppe and mschapv2. There is
also the ppp radius plugin installed.
The relevant configuration entries for PPP are in file
/etc/ppp/options.pptp and look like this:
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
plugin radius.so
The PPP radius plugin is configured in file
/etc/radiusclient/radiusclient.conf to use the internal
AAA server (attributes "authserver", "actserver",
etc. - this should be quite straighforward
2.) The internal AAA server is running freeradius-1.0.0
and openldap-2.2.17 under linux. This is the hairy part!
2.1) First, the OpenLDAP server is set up to act as a central
database for all user authorization and accounting in the
whole network. It hosts the whole stuff for POSIX accounts,
samba Accounts, Mailserver and so on. All linux clients and
services are using this system either via PAM (like openssh),
PAM via saslauthd (like cyrus imapd) or directly (like samba).
IMHO it is most important to have this working first. You
have to have some way to store your sambe NT and LM passwords
in your LDAP tree! I use samba 3.x so I have the new samba LDAP
schema loaded into openldap (this is important to know, because
attribute names have changed!)
We have also some Web-GUI installed to be able to modify the LDAP
database in some easy way (we use phpldapadmin)
2.2) The FreeRADIUS server ist set up to support MSCHAPv2 authentication.
This is not trivial and requires some fiddling.
2.2.1) I changed ldap.attrmap to support the new samba LDAP schema:
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
2.2.2) in radiusd.conf I have the mschap and ldap modules
configured as follows:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
ldap {
server = "ldap.example.com"
identity = "cn=admin,ou=accounts,dc=example,dc=com"
password = mysecretpwd
basedn = "ou=accounts,dc=example,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10
password_attribute = sambaNTPassword
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
}
2.2.3) in radiusd.conf I have the authorized and authenticate
sections configured as follows:
authorize {
preprocess
auth_log
suffix
files
ldap
mschap
}
authenticate {
mschap
}
IMHO there are two important parts here:
a) in the authorize section I have the "ldap" module and the "mschap"
module following immediately
b) in the "authenticate" section there is only the "mschap" module listed.
With this setup, a successful PPTP VPN login from a Windows 2000 client
looks as follows (from the freeradius point of view):
[...]
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host nnn.nnn.nnn.3:32770, id=118, length=131
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "max"
MS-CHAP-Challenge = 0xde65622e5ee33d76564050f066c5ed08
MS-CHAP2-Response =
0x42007abfccafd6a8ad3f81ac09c888027cf600000000000000007ddcd3d388abc667d87b8920cc9d6e2c6f70ef5396e35841
NAS-IP-Address = nnn.nnn.nnn.3
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/var/log/radius/radacct/nnn.nnn.nnn.3/auth-detail-20041005'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/nnn.nnn.nnn.3/auth-detail-20041005
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_realm: No '@' in User-Name = "max", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched DEFAULT at 171
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for max
radius_xlat: '(uid=max)'
radius_xlat: 'ou=accounts,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.example.com:389, authentication 0
rlm_ldap: bind as cn=admin,ou=accounts,dc=example,dc=com/secret to ldap.example.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=accounts,dc=example,dc=com, with filter (uid=max)
rlm_ldap: Added password 24EDEF64E1422D57F5262279E125255B in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNtPassword as NT-Password, value
24EDEF64E1422D57F5262279E125255B & op=21
rlm_ldap: Adding sambaLmPassword as LM-Password, value
29DF1C8D827B3E35AAD3B435B51404EE & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user max authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: Told to do MS-CHAPv2 for max with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 1
modcall: group authenticate returns ok for request 1
Sending Access-Accept of id 118 to nnn.nnn.nnn.3:32770
Framed-MTU = 576
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Service-Type = Framed-User
MS-CHAP2-Success =
0x42533d39414442394242333437433343423433413839414134373545433246353636433134443038313434
MS-MPPE-Recv-Key = 0xf08c84806286f62c245e36db54c9f5d4
MS-MPPE-Send-Key = 0xed74ac5f84b98121e71253d36ab7d87a
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
Finished request 1
[...]
As far as I can tell this works quite fine. If anyone wants to
comment this setup or has some tips and improvements I would
be happy to hear. Perhaps we can collect all the information and
write an up-to-date HOWTO for this kind of application.
Fact is, I still have some loose ends which I want to solve.
1.) Most important: I still do not really understand all the
configuration details of freeradius. There are still lots
of mystic configuration attributes and I don't know if I
need all of them or not. This makes me nervous
2.) I want to have the VPN users in several different access
groups. I currently do not know how to set up this in a
elegant way.
Any comments are welcome!
- - andreas
- --
Andreas Haumer | mailto:[EMAIL PROTECTED]
*x Software + Systeme | http://www.xss.co.at/
Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0
A-1100 Vienna, Austria | Fax: +43-1-6060114-71
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBYprXxJmyeGcXPhERAqeaAJ4xgtUOck2+c5Ax2yxgeVaE9PsftgCeJtlC
a9B09NSjun+oo6XUTG9ATQA=
=hoNN
-----END PGP SIGNATURE-----
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
