> >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed password > does NOT go over the network with MS-CHAP. So I'm starting to get a bit > confused.
Some background might help clarify here. The phrase "EAP-TTLS," while being the correct name for the EAP type, does not fully qualify the implementation. TTLS is "Tunneled TLS." TLS being "Transport Layer Security," which by itself creates a tunnel. So we have two tunnels here. The one created by TLS -- sometimes called the "outer" tunnel -- and the unspecified "inner" tunnel. In the case of Tom Zeller's message, earlier, the inner tunnel was formed by MS-CHAPv2. Some people write this as EAP-TTLS-MSCHAPv2. The "clear-text password" version of EAP-TTLS uses the "Password Authentication Protocol" (PAP) to form the inner tunnel. Some people write this as EAP-TTLS-PAP. So, Tom was correct in the context of Tom's discussion, and the people talking about username/password authentication were also correct. They were simply assuming different implementations of EAP-TTLS. Both are perfectly valid and each has their pros and cons. Sincerely, Mark Linton [EMAIL PROTECTED] www.personal.psu.edu/mhl100 814-865-4698 > -----Original Message----- > From: Matt Ashfield [mailto:[EMAIL PROTECTED] > Sent: Monday, July 10, 2006 1:53 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > > Hi All, > > Thanks for all the responses. It's great to be part of a useful mailing > list > like this! > > Just to clarify a few things: > our passwords are stored in cleartext on the ldap server. > We are using SunOne for LDAP and FreeRadius for radius. > We have no desire to have individual client certificates and would prefer > to > do username/password against the LDAP server. > > >From what I can tell, the only way to deal with plaintext passwords > stored > in LDAP and still have username/password authentication is to go with > EAP-TTLS and use the secure2 client. > > But I just saw the post by Tom Zeller and he's saying the hashed password > does NOT go over the network with MS-CHAP. So I'm starting to get a bit > confused. > > Any thoughts? Does anyone here have this same situation and have it > working? > > Thanks > > Matt Ashfield > [EMAIL PROTECTED] > > > -----Original Message----- > From: Michael Griego [mailto:[EMAIL PROTECTED] > Sent: July 7, 2006 4:24 PM > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP > > Hey, Matt, > > This setup is actually almost identical to what we're doing here at > UT Dallas. > > As is commonly seen on the FreeRADIUS mailing lists, I think you may > be confusing how to use PEAP with LDAP a little. In order to use > PEAP with LDAP, you don't use LDAP "authentication" in FreeRADIUS. > You have to store either a cleartext password or an NTLMv2 password > hash in your LDAP directory for each of your users. Be sure if you > do this to set appropriate ACLs on the attribute containing the > password/hash so that only the RADIUS connect profile can get to that > attribute. In any case, once you've done this, the LDAP module goes > in your authorize section in FR so that it can pull the password or > hash out and use it to perform the authentication itself using the > mschap module. > > Also, for PEAP, you only need a certificate for your RADIUS servers > to authenticate the network to the users. Your users don't need > personal certificates as they would using EAP-TLS. If you purchase a > commercial certificate from one of the CAs included by default in > your client OSes, then you don't have to install anything on the > clients and just have to configure them for access. > > These links might be useful for you: > > UTD's 802.1x setup instructions for Windows XP: > http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.html > > I actually gave an Educause Live presentation on UTD's 802.1x > deployment. Its archived here: > http://www.educause.edu/LIVE058 > > Hope that helps! > > --Mike > > On Jul 7, 2006, at 1:50 PM, Matt Ashfield wrote: > > > Hi All > > > > I'm trying to configure 802.1x wireless authentication using > > credentials > > stored in LDAP. > > > > I am running FreeRadius and SunOne ldap server. The Radius server is > > correctly doing authentication attempts to the LDAP server (I issue > > the > > "radtest" command with a username/passwd from LDAP and I get an > > authenticate-accept back). > > > > The next step is setting up an XP client to talk to an Access > > Point, which > > is configured to authenticate via the Raidus server, via LDAP. So > > far, in my > > minimal testing, I've seen the client try to connect using it's > > Windows > > credentials rather than giving the user a chance to enter a > > username/password. > > > > I'm sure others out there are doing this. I'm just wondering what > > you're > > using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms > > straight > > first and go from there. > > > > From what I can tell PEAP will require my users to install a > > certificate. > > We'd much rather prefer them to have to enter their LDAP usernames and > > passwords. > > > > Any advice is appreciated. > > > > Thanks > > > > > > Matt Ashfield > > [EMAIL PROTECTED] > > > > ********** > > Participation and subscription information for this EDUCAUSE > > Constituent Group discussion list can be found at http:// > > www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
