Using SHA1 user password fields in freeradius radius server

freeradius2radius

I have proprietary web application which stores user password in form of sha1$79b2c$b3704ec5703ef28ded379cf6c6de4c4160aa029b. This is a salted sha1 hash.

I want to use this presaved information for freeradius as well. Crypt-Password attribute is defined in radius but AFAIK it is just md5 hash of the password. I tried this but this didnt work as I expect. How can I use the same ceredentials for user validating in freeradius? Is it possible to run some script and accept accrding to its return value?
If I change the propietary web application to save user credntials on another form, what should I choose to be compatible with Freeradius? EXcept for Cleartext and MD5.

Best Answer

I have found how to do for the question part b:

The form sha1$79b2c$b3704ec5703ef28ded379cf6c6de4c4160aa029b has parts as: sha1$SALT$SALTEDPASSWORD

In Radius this is named as SSHA-Password Ref: http://www.packtpub.com/article/freeradius-authentication-storing-passwords Ref: http://freeradius.org/radiusd/man/rlm_pap.txt

1- Use the script in Ref1 to create a Salted SHA1 hash. prop-to-ssha.pl UserClearPass SALT

Output of this can be assgined to the attribute

SSHA-Password := OUTPUTOFPERLSCRIPT

And this works. I can automate my proprietary aplication and also create a radius password entry while creating users.

For part a of the question, I have no answers yet.

Related Solutions

Ubuntu – Setting up RADIUS + LDAP for WPA2 on Ubuntu

I'll try to answer the LDAP question here.

Here's the short answer: make sure the ldap module is removed from the authenticate section, and make sure the mschap module is present in both the authorize and the authenticate section. And just ignore the 'No "known good" password'.

And now here's the (very) long answer.

How does the ldap module work?

When you activate the ldap module in the authorize section, this is what it does when a RADIUS packet is received by FreeRADIUS:

it tries to bind to the LDAP server (as a guest user, or using the given identity if one is configured in ldap.conf)
it searches for the user's DN entry using the filter under the base DN (configured in ldap.conf).
it fetches all the LDAP attributes it can get among those configured in ldap.attrmap, and converts them into RADIUS Attributes.
it adds those attributes to the RADIUS packet's check items list.

When you activate the ldap module in the authenticate section, this is what FreeRADIUS does:

it tries to bind to the LDAP server as the user.
if it can bind, then it's a successful authentication, and a Radius-Accept packet will be sent back to the client, or else, it's a failure, leading to a Radius-Reject packet.

So how can I configure FreeRADIUS to make PEAP/MS-CHAP-v2 work with LDAP?

The important point here is that binding as the user will only work if the FreeRADIUS server can retrieve the cleartext password of the user from the RADIUS packet it received. This is only the case when PAP or TTLS/PAP authentication methods are used (and possibly also EAP/GTC). Only the TTLS/PAP method is really secure, and it is not available by default in Windows. If you want your users to connect with TTLS/PAP, you need to have them install a TTLS supplicant software, which is seldom an option. Most of the time, when deploying WiFi with WPA Enterprise securiy, PEAP/MS-CHAP-v2 is the only reasonable option.

So the bottom line is: unless you are using PAP or TTLS/PAP, you can safely remove the ldap module from the authenticate section, and actually, you should: binding as the user will not work.

If your test works when you use radtest, it probably means that the ldap module is activated in the authenticate section: it will try to bind as the user, and since radtest uses PAP authentication, it will succeed. But it will fail if you try to connect through the access point, since you are using PEAP/MS-CHAP-v2.

What you should do is remove the ldap module from the authenticate section, and make sure you activate the mschap module in both the authorize and the authenticate section. What will happen is that the mschap module will take care of authentication using the NT-Password attribute which is retrieved from the LDAP server during the authorize phase.

Here is what your sites-enabled/default file should look like (without all the comments):

    ...
    authorize {
        preprocess
        suffix
        eap {
            ok = return
        }
        expiration
        logintime
    }
    authenticate {
        eap
    }
    ...

And here is what your sites-enabled/inner-tunnel file should look like:

    ...
    authorize {
        mschap
        suffix
        update control {
               Proxy-To-Realm := LOCAL
        }
        eap {
            ok = return
        }
        ldap
        expiration
        logintime
    }
    authenticate {
        Auth-Type MS-CHAP {
            mschap
        }
        eap
    }
    ...

What about the 'No "known good" password' warning?

Well, you can safely ignore it. It's just there because the ldap module could not find a UserPassword attribute when it fetched the user details from the LDAP server during the authorize phase. In your case, you have the NT-Password attribute, and that's perfectly fine for PEAP/MS-CHAP-v2 authentication.

I guess the warning exists because when the ldap module was designed, PEAP/MS-CHAP-v2 did not exist yet, so the only thing that seemed to make sense at the time was to retrieve the UserPassword attribute from the LDAP server, in order to use PAP, CHAP, EAP/MD5 or such authentication methods.

Restrict FreeRADIUS clients to access service from different LANs with same user and password

I haven't used a database backend before, but using the users file the rule would look something like this:

myuser  Cleartext-Password := "mypass", NAS-IP-Address == "192.168.2.1"

Based on that, I think you need two entries in the radcheck table:

usernane='myuser', attribute='Password', op=':=', value='mypass'
username='myuser', attribute='NAS-IP-Address', op='==', value='192.168.2.1'

Best Answer

Related Solutions

Ubuntu – Setting up RADIUS + LDAP for WPA2 on Ubuntu

Restrict FreeRADIUS clients to access service from different LANs with same user and password

Related Topic