RE: radius+ldap+peap
Arjuna Scagnetto wrote:
can someone tell me a good tutorial about making work freeradius with
ldap and peap on a 802.1x architecture ?
Get LDAP working with PAP authentication, but NOT using ldap bind.
Get PEAP working with passwords in the users file.
Try PEAP with a user whose password is in LDAP.
For the moment my freeradius server dies with a Segmentation Fault, i
think it's caused by a misunderstanding between peap and ldap but i'm
not sure.
Please say which version of the server you're using.
PEAP with user whose password is in LDAP
INfo related to my configuration and some debug.
---
slapd.configuration
include radius.schema
account type:
dn: uid=wclient, ou=dot1x,cn=example,cn=com
objectclass:top
objectclass:radiusprofile
objectclass:inetOrgPerson
userPAssword: {SSHA}tymetcetcetc
if i autheticate the user against Mysql it works perfectly, same
wpa_supplicant config file tryng to authenticate against ldap, radius
server dies with a Segmentation FAULT.
Radius bind ldap that extract the userPassword field from his DIT and
than radius dies.
-
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Arjuna Scagnetto wrote:
...
PEAP with user whose password is in LDAP
...
userPAssword: {SSHA}tymetcetcetc
This WILL NOT WORK. See:
http://deployingradius.com/documents/protocols/compatibility.html
use clear-text passwords in LDAP. If you can't put clear-text
passwords in LDAP, stop trying to use PEAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
as a general rool of thumb ,always use clear text in the ldap databases
where you are trying to offer enhnanced password protection like
cram-md5 even chap etc.
You need the original data to calculate the hashes from.
O/H Alan DeKok έγραψε:
Arjuna Scagnetto wrote:
...
PEAP with user whose password is in LDAP
...
userPAssword: {SSHA}tymetcetcetc
This WILL NOT WORK. See:
http://deployingradius.com/documents/protocols/compatibility.html
use clear-text passwords in LDAP. If you can't put clear-text
passwords in LDAP, stop trying to use PEAP.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius+ldap+peap
O/H Alan DeKok ??:
Arjuna Scagnetto wrote:
...
PEAP with user whose password is in LDAP
...
userPAssword: {SSHA}tymetcetcetc
This WILL NOT WORK. See:
http://deployingradius.com/documents/protocols/compatibility.html
use clear-text passwords in LDAP. If you can't put clear-text
passwords in LDAP, stop trying to use PEAP.
Alan DeKok.
yes i've seen the matrix, i'll try EAP-TTLS + PAP so i can authenticate
against LDAP with any password hash.
Thanks for helping
as soon as the book is pubblished you'll become rich! :)
bye
arjuna
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Angelos Karageorgiou wrote:
as a general rool of thumb ,always use clear text in the ldap databases
where you are trying to offer enhnanced password protection like
cram-md5 even chap etc.
You need the original data to calculate the hashes from.
O/H Alan DeKok έγραψε:
Arjuna Scagnetto wrote:
...
PEAP with user whose password is in LDAP
...
userPAssword: {SSHA}tymetcetcetc
This WILL NOT WORK. See:
http://deployingradius.com/documents/protocols/compatibility.html
use clear-text passwords in LDAP. If you can't put clear-text
passwords in LDAP, stop trying to use PEAP.
NO ! Calculate the damn NT Hashes... Never put users clear-text
passwords in LDAP if you can avoid it.
Create an attribute called NTPassword map it to NT-Password .
Calculate hash using
$hash
=0x.bin2hex(mhash(MHASH_MD4,mb_substr(mb_convert_encoding($str'UCS-2LE','auto'),0,128)));
for php.
or calculate the md4 hash of UCS-2LE encoded passphrase and prefix and
output as hex with 0x
MSChapV2 will now work, which means you can use PEAP and TTLS MSCHAPv2
For PAP calculate SSHA password and prefix with {ssha}
$salt=substr(md5(mt_rand().$str),0 ,4); # Generate 4 byte salt
$hash=base64_encode(mhash(MHASH_SHA1, $str.$salt).$salt);
Use autoheader in LDAP and PAP to authenticate.
The weak point is the nt4 hash as it has no salt... and there are known
issues with md4, but it's still better than leaving everything in cleartext.
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Arran Cudbard-Bell wrote: use clear-text passwords in LDAP. If you can't put clear-text passwords in LDAP, stop trying to use PEAP. NO ! Calculate the damn NT Hashes... Never put users clear-text passwords in LDAP if you can avoid it. Step 1: Get it to work. Step 2: Get it to work better. Getting past step one involves configuring everything to remove as many variables as possible. The weak point is the nt4 hash as it has no salt... and there are known issues with md4, but it's still better than leaving everything in cleartext. For anyone who cares, 99.9% of NT hash'd passwords can be turned back into clear-text passwords with 5G of disk space, and a few minutes of work. The security added by NT hashed passwords is minimal. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Alan DeKok wrote: Arran Cudbard-Bell wrote: use clear-text passwords in LDAP. If you can't put clear-text passwords in LDAP, stop trying to use PEAP. NO ! Calculate the damn NT Hashes... Never put users clear-text passwords in LDAP if you can avoid it. Step 1: Get it to work. Step 2: Get it to work better. True... But your encouraging people in bad habits ! It's like all the documentation i've seen telling people to *un-check* the validate certificate check box in windows xp supplicants ... Getting past step one involves configuring everything to remove as many variables as possible. The weak point is the nt4 hash as it has no salt... and there are known issues with md4, but it's still better than leaving everything in cleartext. For anyone who cares, 99.9% of NT hash'd passwords can be turned back into clear-text passwords with 5G of disk space, and a few minutes of work. The security added by NT hashed passwords is minimal. Yes, but it stops the annoying student who acquires the manager credentials from the test documentation wiki which *someone* forgot to password protect, dumping everyones credentials out in plaintext... It's hard to stop people who know what they're doing, but fortunately those people are in the minority -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap+peap
Arjuna Scagnetto wrote: can someone tell me a good tutorial about making work freeradius with ldap and peap on a 802.1x architecture ? Get LDAP working with PAP authentication, but NOT using ldap bind. Get PEAP working with passwords in the users file. Try PEAP with a user whose password is in LDAP. For the moment my freeradius server dies with a Segmentation Fault, i think it's caused by a misunderstanding between peap and ldap but i'm not sure. Please say which version of the server you're using. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
