Hello, I've solved the problem with OpenLDAP, PEAP-MSCHAPv2, WPA2-Enterprise and non-clear-text stored passwords.
Here is a solution -- 19-May-2011, Radiator v4.7, CentOS 5.6x32, OpenLDAP slapd
2.3.43, Samba 3.0.33-3.29.el5_6.2:
When we work with wireless controller (in our case, Trapeze MX-200) and want to
use WPA2-Enterprise scheme to encrypt a data we need to organize authentication
with any available users database (Active Directory, LDAP, MySQL etc.). If we
store our passwords in MySQL or LDAP in clear text form we don't have any
problem to setup Radius as written in goodies/eap_peap_mschap_proxy.cfg file.
In Trapeze MX there is a possibility to use PEAP-Offload scheme when MX itself
does all PEAP-tunnel job and in Radius we receive already
ConvertedFromEAPMSCHAPV2 request so radius.cfg will look very simple in case we
use LDAP:
# cat radius.cfg
<Client 1.1.1.2>
Secret secret
DupInterval 0
IdenticalClients 1.1.1.3,1.1.1.4
</Client>
<Handler>
<AuthBy LDAP2>
NoDefault
Host ldap-server.local
Port 389
AuthDN cn=root,dc=local
AuthPassword root-password
BaseDN dc=local
Scope sub
Version 3
PasswordAttr userPassword
</AuthBy>
</Handler>
But when we want to use (and it's my case) LDAP server that stores passwords in
any crypted form (CRYPT, SHA, MD5 etc) we meet a problem. We, for example, use
{crypt} to store the passwords. In this case we can't decrypt stored passwords.
After a week of searches and experiments I've found an article
http://vuksan.com/linux/dot1x/802-1x-LDAP.html that gave me an idea about
NThash. So I've extended LDAP scheme with Samba attributes and then tried to
authenticate with a small change in radius.cfg:
PasswordAttr sambaNTPassword
And it didn't work as well.
Then after investigations with our LDAP and Linux specialists and after reading
of source code of Radiator we've found that Radiator needs to know that he
receives NThash and not clear-text. In the source code we saw that Radiator
looks for {nthash} before password that he receives, i.e. usually from LDAP he
receives:
#cat /var/log/radius/logfile
Thu May 19 14:28:08 2011: DEBUG: LDAP got sambaNTPassword:
FD5117F72B251C2CB9A7A6669B8BD0A6
and Radiator doesn't know that this is NThash. So I've added:
TranslatePasswordHook sub {return "{nthash}$_[0]";}
In appropriate <AuthBy LDAP2>. So below is a full radius.cfg that works with
PEAP-MSCHAPv2, WPA-2 and OpenLDAP:
# cat radius.cfg
<Client 1.1.1.2>
Secret test
DupInterval 0
IdenticalClients 1.1.11.3,1.1.1.4
</Client>
<Handler>
<AuthBy LDAP2>
NoDefault
TranslatePasswordHook sub {return "{nthash}$_[0]";}
Host ldap-server.local
Port 389
AuthDN cn=root,dc=local
AuthPassword root-password
BaseDN dc=local
Scope sub
Version 3
PasswordAttr sambaNTPassword
</AuthBy>
</Handler>
With this file and Samba extension to LDAP scheme PEAP-MSCHAPv2 and WPA-2 begin
to work. Only drawback is every user needs to renew his password to update LDAP
with new " sambaNTPassword " field because there is no way to convert {crypt}
LDAP passwords to NThash (as minimum, I don't know). But it's a simple
technical task for a user that wants to connect to our encrypted Wireless
network.
And I think that we personally don't need to add all Samba scheme to our
working LDAP only one field that will contain NThash.
One more thing.
When you use Trapeze MX or any other wireless controller as External
Authentication scheme, i.e. all work is executed on Radiator side (PEAP too),
you need to use a big radius.cfg:
# cat radius.cfg
<Client 1.1.1.2>
Secret test
DupInterval 0
IdenticalClients 1.1.11.3,1.1.1.4
</Client>
<Handler ConvertedFromEAPMSCHAPV2=1>
<AuthBy LDAP2>
NoDefault
TranslatePasswordHook sub {return "{nthash}$_[0]";}
Host ldap-server.local
Port 389
AuthDN cn=root,dc=local
AuthPassword root-password
BaseDN dc=local
Scope sub
Version 3
PasswordAttr sambaNTPassword
</AuthBy>
</Handler>
<Handler TunnelledByPEAP=1>
PasswordLogFileName /var/log/radius/tunneledByPEAP_passwords
<AuthBy FILE>
EAPType MSCHAP-V2
EAP_PEAP_MSCHAP_Convert 1
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
Filename %D/users
AutoMPPEKeys
EAPType PEAP,MSCHAP-V2
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1024
EAPTLS_PEAPVersion 0
</AuthBy>
</Handler>
And you need to build file %D/users that simply contains list of all users that
can connect to your wireless network:
#cat users:
user1
user2
user3
In general, you can easily retrieve this list from your LDAP.
And you will need to install trusted certificates and keys instead of keys and
certificates that Radiator gave us for test purposes.
Thanks to Heikki Vatiainen (Radiator) for TranslatePasswordHook idea and to
Vladimir Vuksan (FreeRadius) for NThash idea.
Roman Safonov
Networking Engineer
TCC, Technion, Haifa
Email: rom...@cc.technion.ac.il
-----Original Message-----
From: Heikki Vatiainen [mailto:h...@open.com.au]
Sent: Monday, May 16, 2011 3:08 PM
To: ספונוב רומן
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] LDAP, crypt, hook
On 05/16/2011 11:14 AM, rom...@cc.technion.ac.il wrote:
Hello Roman,
> We use Radiator for authentication WPA2 wireless via LDAP.
>
> Users passwords are stored inside LDAP in CRYPT form and we have a
> possibility to receive the same CRYPTed string from a clear-text
> password by executing
>
> crypt <crypted-string-from-LDAP> <clear-text-from NAS-Request>
>
> in perl script.
See the reference manual for version 4.8 (ref.pdf) and there AuthBy
LDAP2 and sections "5.37.11 PasswordAttr" and "5.37.12 EncryptedPasswordAttr".
If your crypt passwords do not start with {crypt} you can use something like
this:
TranslatePasswordHook sub { return "{crypt}$_[0]"; }
See also goodies/ldap.cfg for an LDAP authentication configuration example.
> I.e. first according to User-Name in NAS-request we need to receive an
> answer from LDAP, then execute script and then we need to compare the
> resulting crypted string with <crypted-string-from-LDAP> and only
> after all this send a reply to NAS.
>
> But we don't know how can it be done in Radiator conf-file, what hook
> we need to use to achieve the result.
Radiator should be able to do what you require when you configure AuthBy
LDAP2 and configure appropriate PasswordAttr or EncryptedPasswordAttr
See also ref.pdf sections "13.1.1 User-Password, Password" and "13.1.2
Encrypted-Password" for more about how Radiator interprets various password
formats.
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server anywhere.
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside,
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX,
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix,
Windows, MacOSX, Solaris, VMS, NetWare etc.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
