On 29/03/12 13:24, Heinrich, Sebastian wrote:
Hello Everybody,
I have two questions for my understanding. I set up FreeRADIUS to
authenticate against our Active Directory. I read in the readme that
this couldn´t be done with the ldap module, so I did it with SAMBA. It
works fine for MSCHAPv2. But nowhere stands why it couldn’t be done with
the ldap module. Can anybody give a technical explanation? As I read the
ldap module can only work with cleartext passwords and eap is encrypted.
But why can’t it work with. A technical explanation would be nice.
Basically: MS-CHAP is a cryptographic, challenge-response protocol. To
perform the correct crypto, you need the NT-Hash of the users password.
If you have Active Directory, you can't extract this hash; it is stored
in the domain controllers, and not visible over LDAP.
Therefore, you have to use Samba/ntlm_auth to "send" the MS-CHAP to a
domain controller, which does the crypto for you.
As I wrote I setted FreeRADIUS up to work fine with the Active
Directory. I configured the eap.conf to work with PEAP and MSCHAPv2.
When I configured it in this way I don’t need certificates? The
certificates aren’t checked by the clients or server aren’t they? Do I
need certificates when I use PEAP with MSCHAPv2 or I am doing something
wrong?
You need a certificate at the server side. You should make sure your
clients validate this certificate, otherwise an attacker can impersonate
you and capture MS-CHAP packets, and perform cryptographic attacks.
You don't need a certificate at the client side.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
