[RADIATOR] Password Variable not passed

Heikki Vatiainen hvn at open.com.au
Fri May 18 07:30:41 CDT 2012 

On 05/17/2012 11:45 PM, Michael Hulko wrote:

Hello Michael,

>   I am not able to determine when using the %P variable, it does not
> pass the user password into the LDAP authentication.

There are a couple of things causing problems for you.

First: I would consider changing the LDAP configuration a little. Either
leave AuthDN and AuthPassword unset or use a special DN and password
that are created for Radiator. In both cases you should also use
ServerChecksPassword if there is no plaintext or encrypted password
available from LDAP.

However, before you change any of this, please read about the second
problem.

> We are attempting to terminate the PEAP/EAP on our wireless controllers
> (Aruba) and pass the username and password to Radiator for
> authentication as this only requires a single common certificate to be
> presented to the clients, unless Radiator does not have an issue reusing
> certs on different servers?

The second problem is there is no password available in
PEAP/EAP-MSCHAP-V2 authentication because MSCHAP-V2 does not send a
password but uses challenge/response calculated based on the password.
So even if you terminate PEAP/EAP-MSCHAP-V2 with controller, the
controller can not create a RADIUS Access-Request with a User-Password
attribute.

For this reason Radiator can not put anything in %P. Also, binding to
LDAP as user can not be used, since the password is not available.

Binding to LDAP as user with the user's password works with
EAP-TTLS/PAP, but for PEAP and other TTLS inner protocols you would need
something like described below: access to password or nthashed password.

For PEAP/EAP-MSCHAP-V2 you would need to have the passwords in plain
text or NTHASH hashed format. These both work with MSCHAP-V2. Radiator
would then fetch the plaintext or nthashed attribute from LDAP and run
MSCHAP-V2 for authentication.

You can configure Radiator to use the same certificate on different
machines. When e.g., Radiators are duplicated, multiple servers share
the same certificate so that clients do not need confused about
different names in certificates.

> When I set the password in the config file statically, I receive an
> access-accept reply, however, when I attempt to use the %P parameter,
> the password is never included in the authentication.
> 
> Suggestions would be appreciated....I have stripped the config down for
> testing purposes.

In summary: if you need to support MSCHAP-V2 in some form, you need to
have nthashed (or plain text) password attributes in LDAP.

When running Radiator on Windows, you can use AuthBy LSA for
authentication if the LDAP really is AD. In this case you can use AuthBy
LDAP2 to fetch any required check and reply attributes from AD while
letting LSA do the authentication.

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list