So when you use Samba you can get the password in the clear ? how Is the mschap hash generated?
Ron. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 3:17 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue AD -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:13 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Are you storing the passwords in OpenLDAP or Active Directory? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authenticate anyone? >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > Im sorry, I have not seen any replies that you may have given me. The > server has been told what the users password is when they log in over > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in the same fashion, why would ldap not > work? Again, Im sorry if this is a basic question. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html