(RADIATOR) 802.1x, MD5 and LDAP
Terry Simons
galimore at mac.com
Wed Jun 30 15:20:12 CDT 2004
Hi,
You should probably look at something like TTLS->PAP or PEAP-GTC to
help solve this problem.
It isn't that the server is expecting that your passwords are
clear-text, but that they *HAVE TO BE* in order for the types f
authentication you are trying to work.
This has been covered numerous types in the archives, so I suggest you
start there.
It's the EAP-type that is "broken" here. What EAP type are you trying
to use? PEAP-MSCHAPv2 is a very common EAP type with this problem.
So once you understand what's really going on with the actual
authentication, it will probably make sense to you. If you still don't
understand after reading the archives, post another (more specific)
question.
- Terry
On Jun 30, 2004, at 12:02 PM, Rodger Hanson wrote:
> Begin forwarded message:
> From: Christopher Stott <chris at manukau.ac.nz>
> Date: 29 June 2004 11:28:34 AM
> To: radiator at open.com.au
> Subject: 802.1x, MD5 and LDAP
>
> Hello,
>
> I'm new to this game and somewhat confused :-(
>
> I have a simple desire to use a single encrypted password in my
> directory server. I'd allow access to services based on successful
> authentication against LDAP and other attribute values held within the
> directory server. This plan works fine with the <AuthBy LDAP2> clause
> and postauthhook files for my dial-in and vpn systems. However, once I
> try to use an 802.1x wireless access point I run into issues. It would
> appear that the password check assumes LDAP returns a clear text
> password. This seems a little odd as this was not the case in my
> dial-in and vpn setups.
>
> I really don't want to create another password (and keep it in the
> clear) on the directory server as I'll run into all manner of issues
> with password consistency.
>
> I've toyed with idea of a preauthhook file to create a dummy passwd
> file for an <AuthBy Unix> and a postauthhook to get rid of the junk.
> <AuthBy EXTERNAL> looks interesting but both of these solutions seem
> to be making the issue more complex than it probably needs to be.
>
> Any hints, tips, advice please?
>
> Chris.
>
> 8<-------- 8<-------- 8<-------- Stuff out of the cfg file. 8<--------
> 8<-------- 8<--------
>
> <Client a.b.c.d>
> Description Foundry-Wireless-AP
> # Can't see a Foundry dictionary, lets use cisco for now
> NasType Cisco
> Identifier Foundry-Wireless-AP
> Secret ************
> DupInterval 0
> IgnoreAcctSignature
> </Client>
>
> <Handler Client-Identifier=Foundry-Wireless-AP>
> <AuthBy LDAP2>
> Identifier Foundry-Wireless-AP
> EAPType MD5-Challenge
> Host ldap.at.my.place
> Port 389
> AuthDN uid=the_boss
> AuthPassword ***********
> BaseDN search_base
> UsernameAttr uid
> PasswordAttr userPassword
> Description Foundry-Wireless-AP
> </AuthBy>
> PostAuthHook file:"PostAuthCheck"
> AcctLogFileName /var/log/radius/Foundry-Wireless-AP.log
> </Handler>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 3122 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040630/982a92d9/attachment.bin>
More information about the radiator
mailing list