[RADIATOR] OpenLDAP, PEAP-MSCHAPv2, WPA2-Enterprise -- solution
Heikki Vatiainen
hvn at open.com.au
Fri May 20 06:39:36 CDT 2011
On 05/19/2011 03:57 PM, romans at cc.technion.ac.il wrote:
Hello Roman,
first of all, thank you for the good summary and all the information you
have provided. You are correct about the problems with encrypted and
hashed passwords and what you wrote provides a good overview on how
to work with hashed passwords.
I would like to add two ways to optimize the example configs you sent.
> When you use Trapeze MX or any other wireless controller as External Authentication scheme, i.e. all work is executed on Radiator side (PEAP too), you need to use a big radius.cfg:
Here you could simplify the config like this. In other words, it is not
necessary to do conversion from EAP MSCHAP-V2 to plain MSCHAP.
<Handler TunnelledByPEAP=1>
PasswordLogFileName /var/log/radius/tunneledByPEAP_passwords
<AuthBy LDAP2>
NoDefault
TranslatePasswordHook sub {return "{nthash}$_[0]";}
Host ldap-server.local
Port 389
AuthDN cn=root,dc=local
AuthPassword root-password
BaseDN dc=local
Scope sub
Version 3
PasswordAttr sambaNTPassword
</AuthBy>
</Handler>
> When you use Trapeze MX or any other wireless controller as External Authentication scheme, i.e. all work is executed on Radiator side (PEAP too), you need to use a big radius.cfg:
>
> # cat radius.cfg
> <Client 1.1.1.2>
> Secret test
> DupInterval 0
> IdenticalClients 1.1.11.3,1.1.1.4
> </Client>
> <Handler ConvertedFromEAPMSCHAPV2=1>
> <AuthBy LDAP2>
> NoDefault
> TranslatePasswordHook sub {return "{nthash}$_[0]";}
> Host ldap-server.local
> Port 389
> AuthDN cn=root,dc=local
> AuthPassword root-password
> BaseDN dc=local
> Scope sub
> Version 3
> PasswordAttr sambaNTPassword
> </AuthBy>
> </Handler>
> <Handler TunnelledByPEAP=1>
> PasswordLogFileName /var/log/radius/tunneledByPEAP_passwords
> <AuthBy FILE>
> EAPType MSCHAP-V2
> EAP_PEAP_MSCHAP_Convert 1
> </AuthBy>
> </Handler>
> <Handler>
> <AuthBy FILE>
> Filename %D/users
> AutoMPPEKeys
> EAPType PEAP,MSCHAP-V2
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1024
> EAPTLS_PEAPVersion 0
> </AuthBy>
> </Handler>
>
> And you need to build file %D/users that simply contains list of all users that can connect to your wireless network:
>
> #cat users:
> user1
> user2
> user3
>
> In general, you can easily retrieve this list from your LDAP.
This will work, but you can also use the following:
#cat users
anonymous Encrypted-Password=nevermatch
When EAP is used, the file will not be used to check users. For this
reason a simple token user and a password that can never match (nothing
decrypts to 'nevermatch') will be enough. You could even use /dev/null
as the file name to hint that the file is not neeed.
However, with the anonymous user, like above, you can also be sure that
if there is a non-EAP authentication request, it will fail even if the
non-EAP username was anonymous.
Thanks again!
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list