ldap sha1 mschap peap pap
Hello Again, Since Im still relatively new to FreeRADIUS authorization/authentication, some clarification on the following subject would help me out greatly. I understand that ldap passwords must be clear to use mschap (Windows XP wireless supplicant using PEAP). Is this absolutely true? On reading the FAQ (5.11), I get the impression that you can use PAP passwords to authenticate. And, in radiusd.conf, you can specify a pap encryption scheme (in my case, my ldap passwords are in sha1). Ive read through doc/rlm_ldap as the FAQ suggests and still do not understand.Also, Im able to bind using the credentials Ive entered on the supplicant side. My knowledge is limited, but why cant the LDAP authorization be enough to say, ok, the user is in the database and the password is good. Let him/her have access. Why is authorization happening, but User-Password errors stopping me. Please help! Thanks lje rlm_ldap: user bogusstudent authorized to use remote access ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 8 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for bogusstudent with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Ladd J. Epp Information Specialist The University of Kansas 785-864-0460
ldap sha1 mschap peap pap
(Sorry, previous posting was in HTML, not intentional) Hello Again, Since I'm still relatively new to FreeRADIUS authorization/authentication, some clarification on the following subject would help me out greatly. I understand that ldap passwords must be clear to use mschap (Windows XP wireless supplicant using PEAP). Is this absolutely true? On reading the FAQ (5.11), I get the impression that you can use PAP passwords to authenticate. And, in radiusd.conf, you can specify a pap encryption scheme (in my case, my ldap passwords are in sha1). I've read through doc/rlm_ldap as the FAQ suggests and still do not understand. Also, I'm able to bind using the credentials I've entered on the supplicant side. My knowledge is limited, but why can't the LDAP authorization be enough to say, ok, the user is in the database and the password is good. Let him/her have access. Why is authorization happening, but User-Password errors stopping me. Please help! Thanks lje rlm_ldap: user bogusstudent authorized to use remote access ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 8 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for bogusstudent with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Ladd J. Epp Information Specialist The University of Kansas 785-864-0460 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Epp, Ladd J [EMAIL PROTECTED] wrote: Since I'm still relatively new to FreeRADIUS authorization/authentication, some clarification on the following subject would help me out greatly.=A0 I understand that ldap passwords must be clear to use mschap (Windows XP wireless supplicant using PEAP). Is this absolutely true? Clear text, or NT-Passwords. On reading the FAQ (5.11), I get the impression that you can use PAP passwords to authenticate. And, in radiusd.conf, you can specify a pap encryption scheme (in my case, my ldap passwords are in sha1). That won't work with PEAP, because the passwords aren't clear-text. Also, I'm able to bind using the credentials I've entered on the supplicant side. ... when you're not using xsupplicant to supply the passwords. My knowledge is limited, but why can't the LDAP authorization be enough to say, ok, the user is in the database and the password is good. Let him/her have access. Why is authorization happening, but User-Password errors stopping me. Because EAP doesn't provide clear-text passwords, which LDAP needs for binding. And when you try to use EAP for authentication, LDAP is supplying SHA1 passwords, NOT the clear-text password needed by EAP. Use clear-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Errr just a little question... if my understanding is good, it is possible to use EAP-PEAP with LDAP only if the passwords are in clear text ? I mean there is no interest to store them encrypted as far as PEAP uses a tunnel, so the security during the transfer might be enough, isn't it ? Anyway, what eap is needed (tls, ttls, leap) to have passwords encrypted in ldap ? is it even possible? Thanks Alan :) _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ldap sha1 mschap peap pap
OK. Thanks for the explanation. We also run a Microsoft Active Directory that is storing NT-Passwords. Would this work with FreeRADIUS, mschap and PEAP? Thanks lje -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, June 14, 2004 1:21 PM To: [EMAIL PROTECTED] Subject: Re: ldap sha1 mschap peap pap Epp, Ladd J [EMAIL PROTECTED] wrote: Since I'm still relatively new to FreeRADIUS authorization/authentication, some clarification on the following subject would help me out greatly.=A0 I understand that ldap passwords must be clear to use mschap (Windows XP wireless supplicant using PEAP). Is this absolutely true? Clear text, or NT-Passwords. On reading the FAQ (5.11), I get the impression that you can use PAP passwords to authenticate. And, in radiusd.conf, you can specify a pap encryption scheme (in my case, my ldap passwords are in sha1). That won't work with PEAP, because the passwords aren't clear-text. Also, I'm able to bind using the credentials I've entered on the supplicant side. ... when you're not using xsupplicant to supply the passwords. My knowledge is limited, but why can't the LDAP authorization be enough to say, ok, the user is in the database and the password is good. Let him/her have access. Why is authorization happening, but User-Password errors stopping me. Because EAP doesn't provide clear-text passwords, which LDAP needs for binding. And when you try to use EAP for authentication, LDAP is supplying SHA1 passwords, NOT the clear-text password needed by EAP. Use clear-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Epp, Ladd J [EMAIL PROTECTED] wrote: OK. Thanks for the explanation. We also run a Microsoft Active Directory that is storing NT-Passwords. Would this work with FreeRADIUS, mschap and PEAP? No. AD stores the NT-Passwords, but won't supply them to FreeRADIUS. See ntlm_auth for another way of doing it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Jawhar TAZI [EMAIL PROTECTED] wrote: Errr just a little question... if my understanding is good, it is possible to use EAP-PEAP with LDAP only if the passwords are in clear text ? No. Active Directory is NOT a real LDAP server. OpenLDAP can store, and supply to FreeRADIUS, NT-Passwords. I mean there is no interest to store them encrypted as far as PEAP uses a tunnel, so the security during the transfer might be enough, isn't it ? Yes. Anyway, what eap is needed (tls, ttls, leap) to have passwords encrypted in ldap ? is it even possible? I'm not sure what you mean by that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Thanks for your quick answers :=) My last question was : is it possible to use authentication with a password stored in ldap but encrypted inside it? Let's take Openldap for instance. Is it possible to use the passwords stored in it to authenticate a user, knowing that the passwords are NOT in clear text ? I mean we know it is not possible with peap, but with TLS or TTLS or even LEAP ? Is it possible to use password encrypted in openldap with : EAP-TLS EAP-TTLS EAP-PEAP EAP-LEAP Thanks Alan _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
Jawhar TAZI [EMAIL PROTECTED] wrote: My last question was : is it possible to use authentication with a password stored in ldap but encrypted inside it? Generally not. Let's take Openldap for instance. Is it possible to use the passwords stored in it to authenticate a user, knowing that the passwords are NOT in clear text ? I mean we know it is not possible with peap, That's not what I said in my last message. but with TLS or TTLS or even LEAP ? TLS doesn't use passwords. TTLS uses different tunneled authentication methods. Check those to see what's possible. LEAP already describes what's possible. See eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
TTLS uses different tunneled authentication methods. Check those to see what's possible. TTLS + PAP should work doesnt it. -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html