(RADIATOR) Help setting up PEAP (with MSCHAP)
Hugh Irvine
hugh at open.com.au
Sat Jun 18 09:05:46 CDT 2005
Hello Antonio -
Radiator supports NT hash passwords with a prefix of "{nthash}".
See section 13.1.1 in the Radiator 3.13 reference manual ("doc/
ref.html").
regards
Hugh
On 18 Jun 2005, at 19:46, António Fernandes wrote:
>
> I'm currently using Radiator for wireless authentication (EAP-TTLS)
> using
> SecureW2 in WinXP SP2. Since the beginning I would also like to add
> PEAP
> using MSCHAP. The problem with MSCHAP comes with the need of clear
> text
> passwords. Recently I've came across with a FreeRadius
> implementation that
> allows to do MSCHAP authentication using NTLM style passwords (NT/LM
> hashes). I understand that NTLM are reversible and if so, it should
> work
> also with Radiator?
>
> Is this possible with Radiator? I tried to get passwords from the
> MySQL with
> no success. When the password is in plain text it works fine but
> when I
> change it to NTLM it rejects...
>
> Any ideas?
>
>
> Yours,
>
> Antonio Fernandes
> Oporto Management School
> Oporto University
>
>
>
>
> Config:
> <AuthBy SQL>
> #identifier
> Identifier authby_MYSQL_PEAP_eu
> # No default
> NoDefault
> NoDefaultIfFound
> #EAP
> EAPType MSCHAP-V2
> # DB
> DBSource dbi:mysql:XXXXX:XXXXXX
> DBUsername XXXXXX
> DBAuth XXXXXXX
> # SQL
> AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS
> Username, VLAN
> FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
> AuthColumnDef 0, Encrypted-Password, check
> AuthColumnDef 1, User-Name, reply
> AuthColumnDef 2, Tunnel-Private-Group-ID, reply
> AddToReply Tunnel-Type = "1:VLAN", Tunnel-Medium-Type =
> "1:Ether_802"
> # Only one session per user at a time
> DefaultSimultaneousUse 1
> </AuthBy>
> <Handler TunnelledByPEAP=1, Client-Identifier=LocaL>
> UsernameCharset a-zA-Z0-9\._\@-
> SessionDatabase NULL
> AuthBy authby_MYSQL_PEAP_eu
> </Handler>
> <Handler Realm = /egp\.up\.pt.*/i>
> # Stripoff de realm
> RewriteUsername s/^([^@]+).*/$1/
>
> SessionDatabase NULL
>
> MaxSessions 1
> <AuthBy FILE>
> EAPType TTLS, PEAP, TLS
> EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
> EAPTLS_CertificateFile /etc/radiator/certEGP/
> radiator.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certEGP/
> radiator.pem
> EAPTLS_PrivateKeyPassword XXXXXXXXXXXX
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
> <Log SYSLOG>
> Facility radius
> </Log>
> </Handler>
>
>
>
>
>
> Snipet.... (http://forum.chupa.nl/showthread.php?t=1141&page=3)
>
> passwd etc_smbpasswd_with_domain {
> filename = /opt/etc/smbpasswd
> format = "*Stripped-User-Name:NT-Password"
> authtype = MS-CHAP
> hashsize = 100
> ignorenislike = no
> allowmultiplekeys = no
> }
>
> My "smbpasswd" (far from it now) looks like this:
> # Sample smbpasswd file.
> # To use this, set 'encrypt passwords = yes' in the [global]-section
> # of /etc/smb.conf
> Tommy:NTLMPASS
> Connie:NTLMPASS
> PocketPC:NTLMPASS
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list