(RADIATOR) PEAP + Radiator +LDAP + NTHash
Barry Ard
barry.ard at ualberta.ca
Wed May 7 12:13:53 CDT 2008
Fernando Reis wrote:
> Hello,
>
> I would like to know if it is possible to implement PEAP (for windows
> XP/Vista authentication) with Radiator,
> using OpenLDAP as user credentials database and, instead of clear text
> passwords, use nthash passwords,
> like the ones in Samba.
> To make things simple, let's say that I don't have users on ldap, so
> that, I don't have to convert the passwords
> from one format to another.
> If it is possible, how can I do it? is there any example in the
> goodies directory?!
>
> Thanks In Advance
>
> Fernando Reis
> fereis at ipcb.pt
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
What you describe is, I think, a fairly common situation. In our
environment we use an ldap backend with the nthash passwords stored. Our
radiator config includes the handlers below. This was cobbled together
with examples from the goodies directory and past emails from the
archive. One gotcha is that radiator wants the nthash password to be
prefixed by the string "{nthash}", which ours are not thus the use of
the TranslatePasswordHook.
<Handler TunnelledByPEAP=1>
# Windows XP when configured for a workgroup might send tunnelled user
# names in the format COMPUTERNAME\username (eg BAKER\mikem).
# This will strip the computer name leaving just the user name
RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy LDAP2>
Host ******
AuthDN cn=wireless,dc=****,dc=****
AuthPassword *******
BaseDN ou=people,dc=****,dc=****
UsernameAttr uid
PasswordAttr sambaNTPassword
TranslatePasswordHook sub { return "{nthash}$_[0]"; }
UseSSL
SSLVerify require
SSLCAPath /etc/ssl/certs
EAPType MSCHAP-V2
EAPTLS_CAPath /etc/ssl/certs
EAPTLS_CertificateFile %D/certs/server.cert
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certs/server.key
EAPTLS_RandomFile %D/random
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
#EAPTTLS_NoAckRequired
#EAPTLS_SessionResumption 0
#EAPTLS_SessionResumptionLimit 10
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
EAPType TTLS,PEAP
EAPTLS_CAPath /etc/ssl/certs
EAPTLS_CertificateFile %D/certs/server.cert
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certs/server.key
EAPTLS_RandomFile %D/random
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
EAPTTLS_NoAckRequired
#EAPAnonymous %0
EAPTLS_PEAPVersion 0
</AuthBy>
</Handler>
--
=================================================================
Barry Ard barry.ard at ualberta.ca
Network Operations
Academic Information and Communication Technologies (AICT)
University of Alberta
Edmonton, Alberta Canada
This communication is intended for the use of the recipient to which it
is addressed, and may contain confidential, personal, and/or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication. If you are not the intended recipient
of this communication, do not copy, distribute, or take action on it.
Any communication received in error, or subsequent reply, should be
deleted or destroyed.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list