(RADIATOR) Help setting up PEAP (with MSCHAP)
António Fernandes
afernandes at egp.up.pt
Tue Jun 21 03:36:19 CDT 2005
Hi Hugh,
Thanks... I've done the changes but I can't seem to get it to work.
Can you help me?
Yours,
Antonio Fernandes
Oporto Management School
Oporto University
<AuthBy SQL>
#identificador
Identifier authby_MYSQL_PEAP_eu
# No default
NoDefault
NoDefaultIfFound
#EAP
EAPType MSCHAP-V2
EAPTLS_PEAPVersion 0
# Definicao da BD
DBSource dbi:mysql:EGP_Sistema:mysql.egp.up.pt
DBUsername XXXXXXXX
DBAuth XXXXXXXXX
#SQL de acesso
AuthSelect SELECT CONCAT('{nthash}',NTLM) AS NTLM,
CONCAT(User,'@',Domain) AS Username, VLAN FROM users where
CONCAT(User,'@',Domain)='%n' AND AccWiFi='1'
AuthColumnDef 0, Encrypted-Password, check
AuthColumnDef 1, User-Name, reply
AuthColumnDef 2, Tunnel-Private-Group-ID, reply
# Se nao tiver VLAN retorna para default
AllowInReply Tunnel-Private-Group-ID
AddToReplyIfNotExist Tunnel-Private-Group-ID = "1:5"
AddToReply Tunnel-Type = "1:VLAN", Tunnel-Medium-Type =
"1:Ether_802"
# Only one session per user at a time
DefaultSimultaneousUse 1
</AuthBy>
<Handler TunnelledByPEAP=1>
RewriteUsername s/^([^@]+).*/$1/
UsernameCharset a-zA-Z0-9\._\@-
SessionDatabase NULL
AuthByPolicy ContinueUntilAccept
AuthBy authby_MYSQL_PEAP_eu
# <AuthBy FILE>
# RewriteUsername s/^([^@]+).*/$1/
# Filename /etc/radiator/users_OK
# EAPType MSCHAP-V2
# AddToReply User-Name=%u
# </AuthBy>
AuthLog log_LocalUsers
</Handler>
<Handler Realm = /egp\.up\.pt.*/i>
# Stripoff de realm
RewriteUsername s/^([^@]+).*/$1/
SessionDatabase NULL
MaxSessions 1
AuthByPolicy ContinueUntilAccept
<AuthBy FILE>
EAPType TTLS, PEAP, TLS
EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
EAPTLS_CertificateFile /etc/radiator/certEGP/radiator.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certEGP/radiator.pem
EAPTLS_PrivateKeyPassword XXXXXXXXXX
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
<Log SYSLOG>
Facility radius
</Log>
</Handler>
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: sábado, 18 de Junho de 2005 15:06
To: António Fernandes
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)
Hello Antonio -
Radiator supports NT hash passwords with a prefix of "{nthash}".
See section 13.1.1 in the Radiator 3.13 reference manual ("doc/
ref.html").
regards
Hugh
On 18 Jun 2005, at 19:46, António Fernandes wrote:
>
> I'm currently using Radiator for wireless authentication (EAP-TTLS)
> using
> SecureW2 in WinXP SP2. Since the beginning I would also like to add
> PEAP
> using MSCHAP. The problem with MSCHAP comes with the need of clear
> text
> passwords. Recently I've came across with a FreeRadius
> implementation that
> allows to do MSCHAP authentication using NTLM style passwords (NT/LM
> hashes). I understand that NTLM are reversible and if so, it should
> work
> also with Radiator?
>
> Is this possible with Radiator? I tried to get passwords from the
> MySQL with
> no success. When the password is in plain text it works fine but
> when I
> change it to NTLM it rejects...
>
> Any ideas?
>
>
> Yours,
>
> Antonio Fernandes
> Oporto Management School
> Oporto University
>
>
>
>
> Config:
> <AuthBy SQL>
> #identifier
> Identifier authby_MYSQL_PEAP_eu
> # No default
> NoDefault
> NoDefaultIfFound
> #EAP
> EAPType MSCHAP-V2
> # DB
> DBSource dbi:mysql:XXXXX:XXXXXX
> DBUsername XXXXXX
> DBAuth XXXXXXX
> # SQL
> AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS
> Username, VLAN
> FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
> AuthColumnDef 0, Encrypted-Password, check
> AuthColumnDef 1, User-Name, reply
> AuthColumnDef 2, Tunnel-Private-Group-ID, reply
> AddToReply Tunnel-Type = "1:VLAN", Tunnel-Medium-Type =
> "1:Ether_802"
> # Only one session per user at a time
> DefaultSimultaneousUse 1
> </AuthBy>
> <Handler TunnelledByPEAP=1, Client-Identifier=LocaL>
> UsernameCharset a-zA-Z0-9\._\@-
> SessionDatabase NULL
> AuthBy authby_MYSQL_PEAP_eu
> </Handler>
> <Handler Realm = /egp\.up\.pt.*/i>
> # Stripoff de realm
> RewriteUsername s/^([^@]+).*/$1/
>
> SessionDatabase NULL
>
> MaxSessions 1
> <AuthBy FILE>
> EAPType TTLS, PEAP, TLS
> EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
> EAPTLS_CertificateFile /etc/radiator/certEGP/
> radiator.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certEGP/
> radiator.pem
> EAPTLS_PrivateKeyPassword XXXXXXXXXXXX
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
> <Log SYSLOG>
> Facility radius
> </Log>
> </Handler>
>
>
>
>
>
> Snipet.... (http://forum.chupa.nl/showthread.php?t=1141&page=3)
>
> passwd etc_smbpasswd_with_domain {
> filename = /opt/etc/smbpasswd
> format = "*Stripped-User-Name:NT-Password"
> authtype = MS-CHAP
> hashsize = 100
> ignorenislike = no
> allowmultiplekeys = no
> }
>
> My "smbpasswd" (far from it now) looks like this:
> # Sample smbpasswd file.
> # To use this, set 'encrypt passwords = yes' in the [global]-section
> # of /etc/smb.conf
> Tommy:NTLMPASS
> Connie:NTLMPASS
> PocketPC:NTLMPASS
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logfile-2005-06-21.zip
Type: application/x-zip-compressed
Size: 5066 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050621/16ffa6d5/attachment.bin>
More information about the radiator
mailing list