[RADIATOR] OpenLDAP, PEAP-MSCHAPv2, WPA2-Enterprise -- solution
romans at cc.technion.ac.il
romans at cc.technion.ac.il
Thu May 19 07:57:10 CDT 2011
Hello,
I've solved the problem with OpenLDAP, PEAP-MSCHAPv2, WPA2-Enterprise and non-clear-text stored passwords.
Here is a solution -- 19-May-2011, Radiator v4.7, CentOS 5.6x32, OpenLDAP slapd 2.3.43, Samba 3.0.33-3.29.el5_6.2:
When we work with wireless controller (in our case, Trapeze MX-200) and want to use WPA2-Enterprise scheme to encrypt a data we need to organize authentication with any available users database (Active Directory, LDAP, MySQL etc.). If we store our passwords in MySQL or LDAP in clear text form we don't have any problem to setup Radius as written in goodies/eap_peap_mschap_proxy.cfg file.
In Trapeze MX there is a possibility to use PEAP-Offload scheme when MX itself does all PEAP-tunnel job and in Radius we receive already ConvertedFromEAPMSCHAPV2 request so radius.cfg will look very simple in case we use LDAP:
# cat radius.cfg
<Client 1.1.1.2>
Secret secret
DupInterval 0
IdenticalClients 1.1.1.3,1.1.1.4
</Client>
<Handler>
<AuthBy LDAP2>
NoDefault
Host ldap-server.local
Port 389
AuthDN cn=root,dc=local
AuthPassword root-password
BaseDN dc=local
Scope sub
Version 3
PasswordAttr userPassword
</AuthBy>
</Handler>
But when we want to use (and it's my case) LDAP server that stores passwords in any crypted form (CRYPT, SHA, MD5 etc) we meet a problem. We, for example, use {crypt} to store the passwords. In this case we can't decrypt stored passwords. After a week of searches and experiments I've found an article http://vuksan.com/linux/dot1x/802-1x-LDAP.html that gave me an idea about NThash. So I've extended LDAP scheme with Samba attributes and then tried to authenticate with a small change in radius.cfg:
PasswordAttr sambaNTPassword
And it didn't work as well.
Then after investigations with our LDAP and Linux specialists and after reading of source code of Radiator we've found that Radiator needs to know that he receives NThash and not clear-text. In the source code we saw that Radiator looks for {nthash} before password that he receives, i.e. usually from LDAP he receives:
#cat /var/log/radius/logfile
Thu May 19 14:28:08 2011: DEBUG: LDAP got sambaNTPassword: FD5117F72B251C2CB9A7A6669B8BD0A6
and Radiator doesn't know that this is NThash. So I've added:
TranslatePasswordHook sub {return "{nthash}$_[0]";}
In appropriate <AuthBy LDAP2>. So below is a full radius.cfg that works with PEAP-MSCHAPv2, WPA-2 and OpenLDAP:
# cat radius.cfg
<Client 1.1.1.2>
Secret test
DupInterval 0
IdenticalClients 1.1.11.3,1.1.1.4
</Client>
<Handler>
<AuthBy LDAP2>
NoDefault
TranslatePasswordHook sub {return "{nthash}$_[0]";}
Host ldap-server.local
Port 389
AuthDN cn=root,dc=local
AuthPassword root-password
BaseDN dc=local
Scope sub
Version 3
PasswordAttr sambaNTPassword
</AuthBy>
</Handler>
With this file and Samba extension to LDAP scheme PEAP-MSCHAPv2 and WPA-2 begin to work. Only drawback is every user needs to renew his password to update LDAP with new " sambaNTPassword " field because there is no way to convert {crypt} LDAP passwords to NThash (as minimum, I don't know). But it's a simple technical task for a user that wants to connect to our encrypted Wireless network.
And I think that we personally don't need to add all Samba scheme to our working LDAP only one field that will contain NThash.
One more thing.
When you use Trapeze MX or any other wireless controller as External Authentication scheme, i.e. all work is executed on Radiator side (PEAP too), you need to use a big radius.cfg:
# cat radius.cfg
<Client 1.1.1.2>
Secret test
DupInterval 0
IdenticalClients 1.1.11.3,1.1.1.4
</Client>
<Handler ConvertedFromEAPMSCHAPV2=1>
<AuthBy LDAP2>
NoDefault
TranslatePasswordHook sub {return "{nthash}$_[0]";}
Host ldap-server.local
Port 389
AuthDN cn=root,dc=local
AuthPassword root-password
BaseDN dc=local
Scope sub
Version 3
PasswordAttr sambaNTPassword
</AuthBy>
</Handler>
<Handler TunnelledByPEAP=1>
PasswordLogFileName /var/log/radius/tunneledByPEAP_passwords
<AuthBy FILE>
EAPType MSCHAP-V2
EAP_PEAP_MSCHAP_Convert 1
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
Filename %D/users
AutoMPPEKeys
EAPType PEAP,MSCHAP-V2
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1024
EAPTLS_PEAPVersion 0
</AuthBy>
</Handler>
And you need to build file %D/users that simply contains list of all users that can connect to your wireless network:
#cat users:
user1
user2
user3
In general, you can easily retrieve this list from your LDAP.
And you will need to install trusted certificates and keys instead of keys and certificates that Radiator gave us for test purposes.
Thanks to Heikki Vatiainen (Radiator) for TranslatePasswordHook idea and to Vladimir Vuksan (FreeRadius) for NThash idea.
Roman Safonov
Networking Engineer
TCC, Technion, Haifa
Email: romans at cc.technion.ac.il
-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au]
Sent: Monday, May 16, 2011 3:08 PM
To: ספונוב רומן
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] LDAP, crypt, hook
On 05/16/2011 11:14 AM, romans at cc.technion.ac.il wrote:
Hello Roman,
> We use Radiator for authentication WPA2 wireless via LDAP.
>
> Users passwords are stored inside LDAP in CRYPT form and we have a
> possibility to receive the same CRYPTed string from a clear-text
> password by executing
>
> crypt <crypted-string-from-LDAP> <clear-text-from NAS-Request>
>
> in perl script.
See the reference manual for version 4.8 (ref.pdf) and there AuthBy
LDAP2 and sections "5.37.11 PasswordAttr" and "5.37.12 EncryptedPasswordAttr". If your crypt passwords do not start with {crypt} you can use something like this:
TranslatePasswordHook sub { return "{crypt}$_[0]"; }
See also goodies/ldap.cfg for an LDAP authentication configuration example.
> I.e. first according to User-Name in NAS-request we need to receive an
> answer from LDAP, then execute script and then we need to compare the
> resulting crypted string with <crypted-string-from-LDAP> and only
> after all this send a reply to NAS.
>
> But we don't know how can it be done in Radiator conf-file, what hook
> we need to use to achieve the result.
Radiator should be able to do what you require when you configure AuthBy
LDAP2 and configure appropriate PasswordAttr or EncryptedPasswordAttr
See also ref.pdf sections "13.1.1 User-Password, Password" and "13.1.2 Encrypted-Password" for more about how Radiator interprets various password formats.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5695 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20110519/d431c2fe/attachment.bin
More information about the radiator
mailing list