RE: radius+ldap+peap
Arjuna Scagnetto wrote: can someone tell me a good tutorial about making work freeradius with ldap and peap on a 802.1x architecture ? Get LDAP working with PAP authentication, but NOT using ldap bind. Get PEAP working with passwords in the users file. Try PEAP with a user whose password is in LDAP. For the moment my freeradius server dies with a Segmentation Fault, i think it's caused by a misunderstanding between peap and ldap but i'm not sure. Please say which version of the server you're using. PEAP with user whose password is in LDAP INfo related to my configuration and some debug. --- slapd.configuration include radius.schema account type: dn: uid=wclient, ou=dot1x,cn=example,cn=com objectclass:top objectclass:radiusprofile objectclass:inetOrgPerson userPAssword: {SSHA}tymetcetcetc if i autheticate the user against Mysql it works perfectly, same wpa_supplicant config file tryng to authenticate against ldap, radius server dies with a Segmentation FAULT. Radius bind ldap that extract the userPassword field from his DIT and than radius dies. - -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Arjuna Scagnetto wrote: ... PEAP with user whose password is in LDAP ... userPAssword: {SSHA}tymetcetcetc This WILL NOT WORK. See: http://deployingradius.com/documents/protocols/compatibility.html use clear-text passwords in LDAP. If you can't put clear-text passwords in LDAP, stop trying to use PEAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
as a general rool of thumb ,always use clear text in the ldap databases where you are trying to offer enhnanced password protection like cram-md5 even chap etc. You need the original data to calculate the hashes from. O/H Alan DeKok έγραψε: Arjuna Scagnetto wrote: ... PEAP with user whose password is in LDAP ... userPAssword: {SSHA}tymetcetcetc This WILL NOT WORK. See: http://deployingradius.com/documents/protocols/compatibility.html use clear-text passwords in LDAP. If you can't put clear-text passwords in LDAP, stop trying to use PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius+ldap+peap
O/H Alan DeKok ??: Arjuna Scagnetto wrote: ... PEAP with user whose password is in LDAP ... userPAssword: {SSHA}tymetcetcetc This WILL NOT WORK. See: http://deployingradius.com/documents/protocols/compatibility.html use clear-text passwords in LDAP. If you can't put clear-text passwords in LDAP, stop trying to use PEAP. Alan DeKok. yes i've seen the matrix, i'll try EAP-TTLS + PAP so i can authenticate against LDAP with any password hash. Thanks for helping as soon as the book is pubblished you'll become rich! :) bye arjuna -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Angelos Karageorgiou wrote: as a general rool of thumb ,always use clear text in the ldap databases where you are trying to offer enhnanced password protection like cram-md5 even chap etc. You need the original data to calculate the hashes from. O/H Alan DeKok έγραψε: Arjuna Scagnetto wrote: ... PEAP with user whose password is in LDAP ... userPAssword: {SSHA}tymetcetcetc This WILL NOT WORK. See: http://deployingradius.com/documents/protocols/compatibility.html use clear-text passwords in LDAP. If you can't put clear-text passwords in LDAP, stop trying to use PEAP. NO ! Calculate the damn NT Hashes... Never put users clear-text passwords in LDAP if you can avoid it. Create an attribute called NTPassword map it to NT-Password . Calculate hash using $hash =0x.bin2hex(mhash(MHASH_MD4,mb_substr(mb_convert_encoding($str'UCS-2LE','auto'),0,128))); for php. or calculate the md4 hash of UCS-2LE encoded passphrase and prefix and output as hex with 0x MSChapV2 will now work, which means you can use PEAP and TTLS MSCHAPv2 For PAP calculate SSHA password and prefix with {ssha} $salt=substr(md5(mt_rand().$str),0 ,4); # Generate 4 byte salt $hash=base64_encode(mhash(MHASH_SHA1, $str.$salt).$salt); Use autoheader in LDAP and PAP to authenticate. The weak point is the nt4 hash as it has no salt... and there are known issues with md4, but it's still better than leaving everything in cleartext. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Arran Cudbard-Bell wrote: use clear-text passwords in LDAP. If you can't put clear-text passwords in LDAP, stop trying to use PEAP. NO ! Calculate the damn NT Hashes... Never put users clear-text passwords in LDAP if you can avoid it. Step 1: Get it to work. Step 2: Get it to work better. Getting past step one involves configuring everything to remove as many variables as possible. The weak point is the nt4 hash as it has no salt... and there are known issues with md4, but it's still better than leaving everything in cleartext. For anyone who cares, 99.9% of NT hash'd passwords can be turned back into clear-text passwords with 5G of disk space, and a few minutes of work. The security added by NT hashed passwords is minimal. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Alan DeKok wrote: Arran Cudbard-Bell wrote: use clear-text passwords in LDAP. If you can't put clear-text passwords in LDAP, stop trying to use PEAP. NO ! Calculate the damn NT Hashes... Never put users clear-text passwords in LDAP if you can avoid it. Step 1: Get it to work. Step 2: Get it to work better. True... But your encouraging people in bad habits ! It's like all the documentation i've seen telling people to *un-check* the validate certificate check box in windows xp supplicants ... Getting past step one involves configuring everything to remove as many variables as possible. The weak point is the nt4 hash as it has no salt... and there are known issues with md4, but it's still better than leaving everything in cleartext. For anyone who cares, 99.9% of NT hash'd passwords can be turned back into clear-text passwords with 5G of disk space, and a few minutes of work. The security added by NT hashed passwords is minimal. Yes, but it stops the annoying student who acquires the manager credentials from the test documentation wiki which *someone* forgot to password protect, dumping everyones credentials out in plaintext... It's hard to stop people who know what they're doing, but fortunately those people are in the minority -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Arjuna Scagnetto wrote: can someone tell me a good tutorial about making work freeradius with ldap and peap on a 802.1x architecture ? Get LDAP working with PAP authentication, but NOT using ldap bind. Get PEAP working with passwords in the users file. Try PEAP with a user whose password is in LDAP. For the moment my freeradius server dies with a Segmentation Fault, i think it's caused by a misunderstanding between peap and ldap but i'm not sure. Please say which version of the server you're using. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html