Matt! You're a friggin' genius! Sure enough, all I had to do was comment-out the 'password_attribute' value in the config file... BAM! It works great!
That means that I can put my old "Idiot's guide to C++" back on the shelf... But I think I'll go ahead and let the boss think that it's still going to take me a week to get this going... ;) Bryan > -----Original Message----- > From: Matt Sapp [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 23, 2003 3:54 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: NT passwords and LEAP > > > Brian and list: > > Good news -- I've sorted out the problem that Bryan (and > myself) has been having with authenticating LEAP against > LDAP. In fact, I'm able to auth both LEAP and PEAP against > the same LDAP database -- time to roll out wireless around > these parts now ;) > > First off, ntPasswords stored in ldap _must_ be prefixed with > 0x. Without, it fails all over the place. Of course, this > is the same as anywhere else (I had been storing ntPassword > hashes in mysql before and having the exact same result. > > Next, look at the ldap { } configuation section of > radiusd.conf. I know that Brian and I had assumed that one > would need "password_attribute = ntpassword" in order to auth > against those hashes. However, that is wrong. Simply > commenting out the password_attribute = line solved the > problem. What was happening was freeradius was using the > 0xblah hash as the password (since that is what it had been > told to do). This is why Bryan was able to authenticate when > entering the actual hash on the client. If freeradius thinks > it has a cleartext password, that overrides any NT or LM > passwords it may have found. Anyhow, once this bit is > commented out, everything just works (at least here). > > Hopefully this will be helpful for anyone attempting this > configuration. > > -Matt > MNU Internet System Administrator > MNU Network Security Administrator > > > --- Original Message Below --- > > From: "Woods, Bryan" <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" > <[EMAIL PROTECTED]> > Subject: RE: NT passwords and LEAP > Date: Tue, 21 Oct 2003 13:31:46 -0700 > > Thanks for the help, Alan. > > > Add a '0x' to the start of the NT password hash in the LDAP > > database. > > I've tried that. Here's what my output looks like when I > pepend the ntpassword from the LDAP with '0x': > > rad_recv: Access-Request packet from host 10.32.3.253:1070, > id=40, length=223 > User-Name = "leap_test" > Cisco-AVPair = "ssid=tsunami" > NAS-IP-Address = 10.32.3.253 > Called-Station-Id = "000d653d6940" > Calling-Station-Id = "0030650d5ce6" > NAS-Identifier = "AP1200-3d6940" > NAS-Port = 37 > Framed-MTU = 1400 > State = > 0x6717451603a62928816ae8c1cb977ea7c18c953ff7fce3a8cc42e450cefc > 4c51af94e18b > NAS-Port-Type = Wireless-802.11 > Service-Type = Login-User > EAP-Message = > 0x02030029110100180ebb2197383b3737df3a4ed5d85c45c8820014bf867a > dd8c6c6561705f > 74657374 > Message-Authenticator = 0xc65aeab8dbe83fab867a97f6e2373055 > modcall: entering group authorize > rlm_ldap: - authorize > rlm_ldap: performing user authorization for leap_test > radius_xlat: '(uid=leap_test)' > radius_xlat: 'o=PUSD,c=US' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in o=PUSD,c=US, with filter > (uid=leap_test) > rlm_ldap: Added password 0x8846F7EAEE8FB117AD06BDD830B7586C > in check items > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding ntpassword as NT-Password, value > 0x8846F7EAEE8FB117AD06BDD830B7586C & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: user leap_test authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "files" returns notfound > rlm_eap: EAP packet type notification id 3 length 41 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: EAP packet type notification id 3 length 41 > rlm_eap: EAP Start not found > rlm_eap: Request found, released from the list > rlm_eap: EAP_TYPE - leap > rlm_eap: processing type leap > rlm_eap_leap: Stage 4 > rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP > modcall[authenticate]: module "eap" returns invalid > modcall: group authenticate returns invalid > auth: Failed to validate the user. > Sending Access-Reject of id 40 to 10.32.3.253:1070 > EAP-Message = 0x04030004 > Message-Authenticator = 0x00000000000000000000000000000000 > Finished request 1 > Going to the next request > > > > > The issue is that the NT-Password attribute is of type > > 'octets', which requires a '0x' to start off the string. If > > it doesn't see that, it assumes that the data is a > > double-quoted string, and it uses that verbatim. > > Are you referring to the RADIUS attribute 'NT-Password' which > (according to my ldap.attrmap file) maps to my LDAP > 'ntpassword' attribute? Because as far as I can tell, the > LDAP data type for the 'ntpassword' attribute is straight text: > > . > . > . > attributetype ( 1.3.6.1.4.1.12430.1.7 > NAME 'ntpassword' > EQUALITY caseIgnoreMatch > SUBSTR caseIgnoreSubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 > SINGLE-VALUE ) > . > . > . > > Bryan > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
