Dear Matt Sapp, rlm_mschap can process both digital and hex format. The problem is probably here:
MS> rlm_ldap: Added password 8846F7EAEE8FB117AD06BDD830B7586C in check items 8846F7EAEE8FB117AD06BDD830B7586C added as a password to check_items. So, NT-Password will be re-calculated with this value. MS> rlm_ldap: looking for check items in directory... MS> rlm_ldap: Adding ntpassword as NT-Password, value --Wednesday, October 15, 2003, 6:43:26 PM, you wrote to [EMAIL PROTECTED]: MS> I'm currently storing NT-Password hashes in a MySQL database, and they had to be in the format of "0xblahblahblah".. Authentication wouldn't work until I started storing then prefixed with the MS> "0x". I'm not sure if they'd need to be in the same format in LDAP, but you might give that a try. MS> -Matt MS> MNU Internet System Administrator MS> MNU Network Security Administrator MS> --- Original Message Below --- MS> From: "Woods, Bryan" <[EMAIL PROTECTED]> MS> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> MS> Subject: RE: LEAP, LDAP & NT-password MS> Date: Wed, 15 Oct 2003 07:32:13 -0700 MS> Matt, MS> Thanks for the good info. Unfortunately, that didn't resolve my problem. MS> Here's what's happening when I try to connect to the wireless network from a MS> LEAP client (username 'leap_test' password 'password'): MS> rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=leap_test) MS> rlm_ldap: Added password 8846F7EAEE8FB117AD06BDD830B7586C in check items MS> rlm_ldap: looking for check items in directory... MS> rlm_ldap: Adding ntpassword as NT-Password, value MS> 8846F7EAEE8FB117AD06BDD830B7586C & op=21 >>> the attribute 'ntpassword' in my LDAP has the nt-hash of 'password' - MS> it's found o.k. MS> rlm_ldap: looking for reply items in directory... MS> rlm_ldap: user leap_test authorized to use remote access MS> ldap_release_conn: Release Id: 0 MS> modcall[authorize]: module "ldap" returns ok >>> looks to me like the LDAP authorize piece works... MS> modcall[authorize]: module "preprocess" returns ok MS> rlm_eap: EAP packet type notification id 3 length 41 MS> rlm_eap: EAP Start not found MS> modcall[authorize]: module "eap" returns updated MS> users: Matched leap_test at 15 MS> modcall[authorize]: module "files" returns ok MS> modcall: group authorize returns updated MS> rad_check_password: Found Auth-Type EAP MS> auth: type "EAP" MS> modcall: entering group authenticate MS> rlm_eap: EAP packet type notification id 3 length 41 MS> rlm_eap: EAP Start not found MS> rlm_eap: Request found, released from the list MS> rlm_eap: EAP_TYPE - leap MS> rlm_eap: processing type leap MS> rlm_eap_leap: Stage 4 MS> rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP >>> but I'm not sure what happened here... >>> the msg seems to say that the password from the client didn't match MS> modcall[authenticate]: module "eap" returns invalid MS> modcall: group authenticate returns invalid MS> auth: Failed to validate the user. MS> Delaying request 1 for 1 seconds MS> Finished request 1 MS> Does anybody see what I'm doing wrong here? MS> Bryan MS> -----Original Message----- MS> From: Matt Sapp [mailto:[EMAIL PROTECTED] MS> Sent: Tuesday, October 14, 2003 10:29 PM MS> To: [EMAIL PROTECTED] MS> Subject: RE: LEAP, LDAP & NT-password MS> Bryan, MS> I'm planning on setting up a system exactly like this in the coming days now MS> that PEAP support is available. If all goes well, I intend to produce a MS> howto to make it easier for other folks. I've been doing some research for MS> this reason, and I've come across the following thread: MS> http://lists.cistron.nl/pipermail/freeradius-users/2003-March/017366.html MS> Based on that thread it looks to me like you need: MS> password_attribute = "NT-Password" MS> This is then mapped via the ldap.attrmap file to ntPassword (which you MS> should be able to change to whatever ldap attribute you really have the nt MS> password hash stored in). I've not actually tried this myself yet, but MS> perhaps you can tell us the results :) MS> -Matt MS> MNU Internet System Administrator MS> MNU Network Security Administrator MS> --- Original Message Below --- MS> From: "Woods, Bryan" <[EMAIL PROTECTED]> MS> To: "'[EMAIL PROTECTED]'" MS> <[EMAIL PROTECTED]> MS> Subject: RE: LEAP, LDAP & NT-password MS> Date: Tue, 14 Oct 2003 15:16:00 -0700 MS> O.K., I've almost got this working... MS> The LDAP stores the NT password in a field called 'ntpassword'. It is MS> stored as a standard NT-hash - '8846F7...'. I've modified the LDAP module MS> section so that it uses 'password_attribute = ntpassword'. Now, if I stick MS> 'password' (un-hashed) into the ntpassword attribute in the LDAP, I can MS> authenticate as 'leap_test' (that's my test user) with the password MS> 'password'. However, if I reset the password attribute to the hashed NT MS> password, it fails with: MS> Rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP. MS> So, it seems that my problem has to do with the fact that the leap module MS> isn't aware that the password in the LDAP is hashed as an NT password. My MS> guess is that folks who use a smbpass file to authenticate LEAP would have MS> the same situation. Has anyone else run into this? MS> I will be most grateful to those who can offer suggestions, sympathy, or a MS> cold beer to assist me with this. MS> Bryan Woods MS> Pomona Unified School District MS> -----Original Message----- MS> From: Alan DeKok [mailto:[EMAIL PROTECTED] MS> Sent: Tuesday, October 14, 2003 8:12 AM MS> To: [EMAIL PROTECTED] MS> Subject: Re: LEAP, LDAP & NT-password MS> "Woods, Bryan" <[EMAIL PROTECTED]> wrote: >> Since my "real" users are in the LDAP, I won't be using the 'users' >> file. So where do I define the Auth-Type? And what value should it be >> set to? MS> You don't define the Auth-Type. The server will figure it out on its own. >> And I'm guessing that I can setup the ldap section of 'modules' to use >> the 'password_attribute' in which we store the ntPassword? Does that >> sound correct? MS> I don't use LDAP, but it sounds reasonable. Try it and see. MS> Alan DeKok. MS> - MS> List info/subscribe/unsubscribe? See MS> http://www.freeradius.org/list/users.html MS> - MS> List info/subscribe/unsubscribe? See MS> http://www.freeradius.org/list/users.html MS> - MS> List info/subscribe/unsubscribe? See MS> http://www.freeradius.org/list/users.html MS> - MS> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html MS> - MS> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Да, ему чертовски повезло. Эх и паршиво б ему пришлось если бы он выжил! (Твен) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
