Re: 802.1X PEAP / MSCHAPv2 (with nt-password)

Fri, 30 Nov 2012 10:19:44 -0800 

On 30/11/12 16:39, Thomas Dupas wrote:

Dear,

at the risk of falling in a known trap.
I've read enough statements that one can't do mschapv2 with openldap,
unless you store the passwords in clear-text. I know that


That's not true.
You need the NT hash to perform mschapv2. Therefore, you either need the actual nt hash, or the plaintext password (and FreeRADIUS will derive the NT hash for you). 



But those same sources also state that this isn't true when you have a
(MS) hash available for those users, like NT-/LM-PASSWORD, which I have.

Yet my configuration still seems to expect clear-text passwords.
 From the debug output (cleaned):

[ldap] looking for check items in directory...
   [ldap] userPassword -> User-Password == "{crypt}<cryptpasswd>"
   [ldap] userPassword -> Password-With-Header == "{crypt}<cryptpasswd>"
   [ldap] sambaNTPassword -> *NT-Password == 0x<hash>*
   [ldap] sambaLMPassword -> *LM-Password == 0x<hash>*






[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
That just says it can't *create* them. If they're present already, that's fine. 


[mschap] Creating challenge hash with username: <userid>
*[mschap] Told to do MS-CHAPv2 for <userid> with NT-Password*
*[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.*


Hmm.


*[mschap] FAILED: MS-CHAP2-Response is incorrect*
++[mschap] returns reject

What am I missing in the configuration? It has the hashed passwords,
seamingly mapped to the correct attributes, yet it still says it doesn't
have them.


It should work in theory. I'd need to see a full debug.



config is as stock as possible, using
http://vuksan.com/linux/dot1x/802-1x-LDAP.html and
http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius as guidelines.
I haven't read those docs, but most of the 3rd party documentation on the internet is either wrong or out-of-date. 

Follow the docs that come with the server or on the FreeRADIUS wiki.



See pastebin for the entire configuration, since one can't post
attachments to a mailing list. http://pastebin.com/d6FWVS1F
The config is not useful. What's useful is a full debug, gathered with "radiusd -X", showing a failing auth. 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to