(RADIATOR) OpenLDAP directory + samba supporting EAP-TTLS and PEAP-MSCHAP-V2

Hugh Irvine hugh at open.com.au
Thu Mar 29 23:42:28 CST 2007


Hello Rogier -

You can use a PostSearchHook in your AuthBy LDAP2 clause to add  
"{nthash}" to the beginning of the NT hash password retrieved from LDAP.

Alternatively you can try the TranslatePasswordHook.

See sections 5.18.46 and 5.36.21 in the Radiator 3.17 reference  
manual ("doc/ref.html").

There are also numerous example hooks in "goodies/hooks.txt".

regards

Hugh


On 30 Mar 2007, at 01:16, Rogier Krieger wrote:

> Dear list,
>
> As part of a test setup, I am trying to extend our (working) EAP-TTLS
> authentication to also support EAP-PEAP-MSCHAP-V2. This is done using
> Radiator 3.17 on a clean OpenBSD installation, extended with the
> necessary Perl and LDAP packages.
>
> We want to support multiple EAP types primarily as a service to users
> who tend to have a plethora of different equipment. That equipment may
> not always work well with TTLS, hence we would like a a secondary
> option (PEAP).
>
> We are trying to authenticate users against LM/NT hashes present in
> our OpenLDAP back-end but seem to come accross MSCHAP-V2
> authentication failures.
>
>
> Background:
> Our OpenLDAP backend stores user names and other account data. We
> store encrypted (salted SHA) passwords in the userPassword, but also
> have NT and LM hash'ed passwords available in the sambaLMPassword and
> sambaNTPassword attributes. Samba provides the synchronisation between
> all these attributes. Switching to a cleartext userPassword is not a
> viable option.
>
> Given the manual, I cannot use EncryptedPasswordAttr either as it
> would prevent CHAP authentication. I would like PasswordAttr to use
> the LDAP sambaNTPassword or sambaLMPassword attributes. For now, I am
> unable to get MSCHAP-V2 authentication going successfully against
> these attributes.
>
>
> Expected issue:
> I suspect the problem lies in the contents of the sambaLMPassword and
> sambaNTPassword attributes (in that they only contain the hash and do
> not start with {nthash} or similar prefix. As long as there is a
> plaintext userPassword, authenticating against that field works. For
> production, however, plaintext passwords are a no-go.
>
> Is there a way to make Radiator realise that it deals with NT/LM
> hashes in those fields without changing the actual LDAP backend's
> data? As a side note: I wish using winbindd were an option. Winbindd
> seems to have issues compiling on my OpenBSD system; likely due to
> GNU'isms.
>
> For the sake of completeness, I included the present test setup
> configuration and a trace (from a PalmOS client).
>
> Any insight would be greatly appreciated,
>
> Rogier Krieger
>
>
> Radiator configuration:
> # cat /etc/radiator/radius.cfg
> # Global options
> # ==============
> #
> # Debugging directives
> #       Run the server in the background by default
> #Foreground
> #
> #       Default trace level for day-to-day production use
> #Trace 4
> Trace 3
>
>
> # Logging directives
> #       Log directory & file name
> LogDir /var/log/radius
> LogFile %L/%Y%m-radius.log
>
>
> # Primary directory/file locations
> DbDir /etc/radiator/db
>
>
> # Privilege settings
> #       Effective user running the daemon
> #User _radiator
> #       Effective group running the daemon
> #Group _radiator
>
>
> # Networking directives
> #       Address to bind to
> #BindAddress
> #
> #       Listening ports for requests
> AuthPort 1812,1645
> AcctPort 1813,1646
>
> #
> # Authentication settings
> # =======================
>
> <AuthBy LDAP2>
> 	Identifier Iverdahl-LDAP
>
> 	# Generic configuration
> 	UsernameMatchesWithoutRealm
> 	HoldServerConnection
>
> 	# LDAP Bind details
> 	Host ldap.iverdahl.net
> 	Version 3
> 	AuthDN cn=radius,ou=a3,ou=services,dc=iverdahl,dc=net
> 	AuthPassword *blanked*
>
> 	#       These entries are *only* for LDAP debugging purposes
> 	#AuthDN cn=admin,ou=ldap,ou=services,dc=iverdahl,dc=net
> 	#AuthPassword *blanked*
>
> 	# LDAP SSL/TLS settings
> 	UseSSL
> 	SSLCAFile %D/x509/ca/Iverdahl.net-CA-cacert.pem
>
> 	# LDAP Information retrieval
> 	ServerChecksPassword
> 	BaseDN ou=iverdahl,ou=people,dc=iverdahl,dc=net
> 	UsernameAttr uid
> 	PasswordAttr sambaNTPassword
> 	#PasswordAttr sambaLMPassword
> 	#PasswordAttr userPassword
>
> 	# EAP Type settings
> 	EAPType MSCHAP-V2
>
> 	# Quick-fix for VLAN issues
> 	StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private- 
> Group-ID
> 	AddToReply Tunnel-Type=1:VLAN, \
> 		Tunnel-Medium-Type=1:802, \
> 		Tunnel-Private-Group-ID=1:801
> </AuthBy>
>
>
> # Generic EAP outer authentication
> <AuthBy FILE>
> 	Identifier Generic-File
>
> 	# Username source(s)
> 	Filename %D/users.EAP-outer
>
> 	# EAP Type settings
> 	EAPType TTLS, PEAP
>
> 	# EAP TLS settings
> 	EAPTLS_CAFile %D/x509/ca/Iverdahl.net-CA-cacert.pem
> 	EAPTLS_CertificateFile %D/x509/certs/radius.iverdahl.net-cert.pem
> 	EAPTLS_CertificateType PEM
> 	EAPTLS_PrivateKeyFile %D/x509/keys/radius.iverdahl.net-key.pem
> 	EAPTLS_PrivateKeyPassword *blanked*
> 	EAPTLS_MaxFragmentSize 1024
>
> 	# EAP-PEAP settings
> 	EAPTLS_PEAPVersion 0
> 	#EAPTLS_PEAPBrokenV1Label
>
> 	# MPPE key distribution
> 	AutoMPPEKeys
> </AuthBy>
>
> #
> # Realms & Handlers
> # =================
> <Handler TunnelledByTTLS=1, Realm=iverdahl.net>
> 	RewriteUsername s/^([^@]+).*/$1/
> 	AuthBy Iverdahl-LDAP
> </Handler>
>
> <Handler TunnelledByPEAP=1, Realm=iverdahl.net>
> 	#RewriteUsername s/^([^@]+).*/$1/
> 	AuthBy Iverdahl-LDAP
> </Handler>
>
> <Handler TunnelledByPEAP=1>
> 	#RewriteUsername s/^([^@]+).*/$1/
> 	AuthBy Iverdahl-LDAP
> </Handler>
>
> <Handler Realm=/iverdahl.net/i>
> 	RewriteUsername s/^([^@]+).*/$1/
>
> 	# Authentication policy
> 	AuthByPolicy ContinueWhileReject
>
> 	# Provide EAP outer authentication settings
> 	AuthBy Generic-File
>
> 	# Fall-back LDAP authentication (for later; non-EAP)
> 	AuthBy Iverdahl-LDAP
> </Handler>
>
> #
> # Client settings
> # ===============
>
> #       Default client connections
> <Client DEFAULT>
> 	Secret *blanked*
> </Client>
>
> #       Settings for localhost connections
> <Client localhost>
> 	Secret *blanked*
> 	DupInterval 0
> </Client>
>
> #       Settings for Linksys WAP54G AP
> <Client ap01.iverdahl.lan>
> 	Secret *blanked*
> 	DupInterval 0
> </Client>
>
> #       Settings for Cisco Aironet 1200
> <Client 10.0.0.20>
> 	Secret *blanked*
> 	#DupInterval 0
> </Client>
> <20070329-iverdahl-peap-trace4-edited.txt>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list