I'm currently storing NT-Password hashes in a MySQL database, and they had to be in
the format of "0xblahblahblah".. Authentication wouldn't work until I started storing
then prefixed with the "0x". I'm not sure if they'd need to be in the same format in
LDAP, but you might give that a try.
-Matt
MNU Internet System Administrator
MNU Network Security Administrator
--- Original Message Below ---
From: "Woods, Bryan" <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: RE: LEAP, LDAP & NT-password
Date: Wed, 15 Oct 2003 07:32:13 -0700
Matt,
Thanks for the good info. Unfortunately, that didn't resolve my problem.
Here's what's happening when I try to connect to the wireless network from a
LEAP client (username 'leap_test' password 'password'):
rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=leap_test)
rlm_ldap: Added password 8846F7EAEE8FB117AD06BDD830B7586C in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntpassword as NT-Password, value
8846F7EAEE8FB117AD06BDD830B7586C & op=21
>> the attribute 'ntpassword' in my LDAP has the nt-hash of 'password' -
it's found o.k.
rlm_ldap: looking for reply items in directory...
rlm_ldap: user leap_test authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
>> looks to me like the LDAP authorize piece works...
modcall[authorize]: module "preprocess" returns ok
rlm_eap: EAP packet type notification id 3 length 41
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
users: Matched leap_test at 15
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 3 length 41
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - leap
rlm_eap: processing type leap
rlm_eap_leap: Stage 4
rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP
>> but I'm not sure what happened here...
>> the msg seems to say that the password from the client didn't match
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Does anybody see what I'm doing wrong here?
Bryan
-----Original Message-----
From: Matt Sapp [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 10:29 PM
To: [EMAIL PROTECTED]
Subject: RE: LEAP, LDAP & NT-password
Bryan,
I'm planning on setting up a system exactly like this in the coming days now
that PEAP support is available. If all goes well, I intend to produce a
howto to make it easier for other folks. I've been doing some research for
this reason, and I've come across the following thread:
http://lists.cistron.nl/pipermail/freeradius-users/2003-March/017366.html
Based on that thread it looks to me like you need:
password_attribute = "NT-Password"
This is then mapped via the ldap.attrmap file to ntPassword (which you
should be able to change to whatever ldap attribute you really have the nt
password hash stored in). I've not actually tried this myself yet, but
perhaps you can tell us the results :)
-Matt
MNU Internet System Administrator
MNU Network Security Administrator
--- Original Message Below ---
From: "Woods, Bryan" <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
Subject: RE: LEAP, LDAP & NT-password
Date: Tue, 14 Oct 2003 15:16:00 -0700
O.K., I've almost got this working...
The LDAP stores the NT password in a field called 'ntpassword'. It is
stored as a standard NT-hash - '8846F7...'. I've modified the LDAP module
section so that it uses 'password_attribute = ntpassword'. Now, if I stick
'password' (un-hashed) into the ntpassword attribute in the LDAP, I can
authenticate as 'leap_test' (that's my test user) with the password
'password'. However, if I reset the password attribute to the hashed NT
password, it fails with:
Rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP.
So, it seems that my problem has to do with the fact that the leap module
isn't aware that the password in the LDAP is hashed as an NT password. My
guess is that folks who use a smbpass file to authenticate LEAP would have
the same situation. Has anyone else run into this?
I will be most grateful to those who can offer suggestions, sympathy, or a
cold beer to assist me with this.
Bryan Woods
Pomona Unified School District
-----Original Message-----
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 8:12 AM
To: [EMAIL PROTECTED]
Subject: Re: LEAP, LDAP & NT-password
"Woods, Bryan" <[EMAIL PROTECTED]> wrote:
> Since my "real" users are in the LDAP, I won't be using the 'users'
> file. So where do I define the Auth-Type? And what value should it be
> set to?
You don't define the Auth-Type. The server will figure it out on its own.
> And I'm guessing that I can setup the ldap section of 'modules' to use
> the 'password_attribute' in which we store the ntPassword? Does that
> sound correct?
I don't use LDAP, but it sounds reasonable. Try it and see.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
