Brian and list:
Good news -- I've sorted out the problem that Bryan (and myself) has been having with
authenticating LEAP against LDAP. In fact, I'm able to auth both LEAP and PEAP
against the same LDAP database -- time to roll out wireless around these parts now ;)
First off, ntPasswords stored in ldap _must_ be prefixed with 0x. Without, it fails
all over the place. Of course, this is the same as anywhere else (I had been storing
ntPassword hashes in mysql before and having the exact same result.
Next, look at the ldap { } configuation section of radiusd.conf. I know that Brian
and I had assumed that one would need "password_attribute = ntpassword" in order to
auth against those hashes. However, that is wrong. Simply commenting out the
password_attribute = line solved the problem. What was happening was freeradius was
using the 0xblah hash as the password (since that is what it had been told to do).
This is why Bryan was able to authenticate when entering the actual hash on the
client. If freeradius thinks it has a cleartext password, that overrides any NT or LM
passwords it may have found. Anyhow, once this bit is commented out, everything just
works (at least here).
Hopefully this will be helpful for anyone attempting this configuration.
-Matt
MNU Internet System Administrator
MNU Network Security Administrator
--- Original Message Below ---
From: "Woods, Bryan" <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: RE: NT passwords and LEAP
Date: Tue, 21 Oct 2003 13:31:46 -0700
Thanks for the help, Alan.
> Add a '0x' to the start of the NT password hash in the LDAP
> database.
I've tried that. Here's what my output looks like when I pepend the
ntpassword from the LDAP with '0x':
rad_recv: Access-Request packet from host 10.32.3.253:1070, id=40,
length=223
User-Name = "leap_test"
Cisco-AVPair = "ssid=tsunami"
NAS-IP-Address = 10.32.3.253
Called-Station-Id = "000d653d6940"
Calling-Station-Id = "0030650d5ce6"
NAS-Identifier = "AP1200-3d6940"
NAS-Port = 37
Framed-MTU = 1400
State =
0x6717451603a62928816ae8c1cb977ea7c18c953ff7fce3a8cc42e450cefc4c51af94e18b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x02030029110100180ebb2197383b3737df3a4ed5d85c45c8820014bf867add8c6c6561705f
74657374
Message-Authenticator = 0xc65aeab8dbe83fab867a97f6e2373055
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for leap_test
radius_xlat: '(uid=leap_test)'
radius_xlat: 'o=PUSD,c=US'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=leap_test)
rlm_ldap: Added password 0x8846F7EAEE8FB117AD06BDD830B7586C in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntpassword as NT-Password, value
0x8846F7EAEE8FB117AD06BDD830B7586C & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user leap_test authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "files" returns notfound
rlm_eap: EAP packet type notification id 3 length 41
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 3 length 41
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - leap
rlm_eap: processing type leap
rlm_eap_leap: Stage 4
rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Sending Access-Reject of id 40 to 10.32.3.253:1070
EAP-Message = 0x04030004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 1
Going to the next request
>
> The issue is that the NT-Password attribute is of type
> 'octets', which requires a '0x' to start off the string. If
> it doesn't see that, it assumes that the data is a
> double-quoted string, and it uses that verbatim.
Are you referring to the RADIUS attribute 'NT-Password' which (according to
my ldap.attrmap file) maps to my LDAP 'ntpassword' attribute? Because as
far as I can tell, the LDAP data type for the 'ntpassword' attribute is
straight text:
.
.
.
attributetype ( 1.3.6.1.4.1.12430.1.7
NAME 'ntpassword'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
.
.
.
Bryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
