Re: Freeradius, CHAP, and LDAP

Wed, 12 Dec 2001 13:36:15 -0800 

On Wed, 12 Dec 2001, Michael Cunningham wrote:

> Hiya,
> 
> I have a Nortel VPN server authenticating off the freeradius server (12/06
> snapshot) which uses an ldap server for its user information.
> The end users are using pptp. When using PAP to authenticate the client 
> works fine. When using CHAP or EAP it doesnt. Unfortunatly without 
> CHAP or EAP working.. the payloads in the packets are not encrypted
> using pptp only the link. 
> 
> Quote from http://www.sans.org/infosecFAQ/encryption/VPN_sec.htm 
> 
> "Encryption in PPTP is handled by using Microsoft Point-to-Point
> Encryption (MPPE). MPPE provides only link encryption and in Windows 2000
> you have to use EAP or MS-CHAP in order to encrypt PPTP payloads. MPPE
> uses the RSA RC4 stream cipher for 40-bit, 56-bit & 128-bit encryption."

Based on the above you need MS-CHAP or EAP not CHAP

> 
> I have read the FAQ section on CHAP.. but putting the passwords directly 
> in the users file is not an option. I store my passwords in the LDAP 
> server in clear text. Can I have chap look to the ldap server for those 
> passwords? I am of course using ssl/tls for all data connections to the 
> ldap server. 

Sure. Take a look at the rlm_ldap file in the doc folder. In general you will
have to set the password_header and password_attribute configuration directives
so that rlm_ldap can extract the cleartext passwords from the ldap server and
setup an authtype in the authenticate section like:

authtype CHAP { (if you are using CHAP)
        chap
}

That should do it.

--
kkalev
        

> 
> Thanks for any assistance you can offer.. 
> Mike
> 
> rad_recv: Access-Request packet from host 137.236.215.1:3793, id=188, length=92
>       User-Name = "mdh"
>       CHAP-Password = "\256\212\321\205\0171\211\024\213\263\013\372\216l\017\210"
>       CHAP-Challenge = "\221\302z\324\337Pv\274\240/8\350/\0275\345"
>       Service-Type = Authenticate-Only
>       Framed-Protocol = PPP
>       NAS-IP-Address = 137.236.215.1
>       NAS-Port = 22844
>       NAS-Port-Type = Virtual
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for mdh
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user mdh authorized to use remote access
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "Password" is required for authentication. Cannot use 
>"CHAP-Password".Login incorrect: [mdh/<CHAP-Password>] (from nas 137.236.215.1 port 
>22844)
> Sending Access-Reject of id 188 to 137.236.215.1:3793
> 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to