MSCHAPV2 + OpenLDAP

classic Classic list List threaded Threaded
14 messages Options
| Threaded
Open this post in threaded view
|

MSCHAPV2 + OpenLDAP

Users mailing list
Hi
Source data:
OpenLDAP
FreeRADIUS Version 3.0.21

I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Sven Hartge-5
On 03.08.20 15:04, Клеусов Владимир Сергеевич via Freeradius-Users wrote:

> I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.


Please read
http://deployingradius.com/documents/protocols/compatibility.html first
to see if the way the password is stored in OpenLDAP is compatible with
MS-CHAP.

(Odds are, it isn't.)

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Users mailing list
It turns out that the vpn client macos only works with Active Directory ? So Apple depends on Windows ? This is vendor lock )


> 3 авг. 2020 г., в 16:24, Sven Hartge <[hidden email]> написал(а):
>
> On 03.08.20 15:04, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
>
>> I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.
>
>
> Please read
> http://deployingradius.com/documents/protocols/compatibility.html first
> to see if the way the password is stored in OpenLDAP is compatible with
> MS-CHAP.
>
> (Odds are, it isn't.)
>
> Grüße,
> Sven.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Alan DeKok-2
On Aug 3, 2020, at 9:29 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>
> It turns out that the vpn client macos only works with Active Directory ? So Apple depends on Windows ?

  No.

  It works with everything. The issue is HOW the password is stored. Not WHERE it is stored.

  Alan DeKok

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Gregory Sloop
In reply to this post by Users mailing list
Top posting.
I don't use/involve freeradius for VPN on the Mac, but I certainly use MSChapv2 {with L2TP]. The native L2TP client on the Mac DOES NOT require Active Directory.

I suspect you have some other problem.



!vFU> It turns out that the vpn client macos only works with Active
!vFU> Directory ? So Apple depends on Windows ? This is vendor lock )


>> 3 авг. 2020 г., в 16:24, Sven Hartge <[hidden email]> написал(а):

>> On 03.08.20 15:04, Клеусов Владимир Сергеевич via Freeradius-Users wrote:

>>> I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.


>> Please read
>> http://deployingradius.com/documents/protocols/compatibility.html first
>> to see if the way the password is stored in OpenLDAP is compatible with
>> MS-CHAP.

>> (Odds are, it isn't.)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Users mailing list
Thanks. Maybe I need to configure the MSCHAP freeradius module for OpenLDAP authentication. I haven't figured out how yet )
The ldap module is configured correctly

3 авг. 2020 г., в 16:42, Gregory Sloop <[hidden email]<mailto:[hidden email]>> написал(а):

Top posting.
I don't use/involve freeradius for VPN on the Mac, but I certainly use MSChapv2 {with L2TP]. The native L2TP client on the Mac DOES NOT require Active Directory.

I suspect you have some other problem.



??!vFU> It turns out that the vpn client macos only works with Active
??!vFU> Directory ? So Apple depends on Windows ? This is vendor lock )


>> 3 авг. 2020 г., в 16:24, Sven Hartge <[hidden email]<mailto:[hidden email]>> написал(а):

>> On 03.08.20 15:04, Клеусов Владимир Сергеевич via Freeradius-Users wrote:

>>> I am trying to configure authentication via freeradius client VPN. Users in OpenLDAP . The problem is that the standard MacOS vpn client works via ms chap v2 (in the debut mode, I see the Client is using MS-CHAPv2). I would be grateful for help if someone had experience setting up in this configuration.


>> Please read
>> http://deployingradius.com/documents/protocols/compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html> first
>> to see if the way the password is stored in OpenLDAP is compatible with
>> MS-CHAP.

>> (Odds are, it isn't.)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: MSCHAPV2 + OpenLDAP

Users mailing list

I you recommend to use kerberos (or ntlm) and ldap only for the group memberships,
But i cant speak for you so i suggest, read the links below, use what you need.


http://deployingradius.com/documents/configuration/active_directory.html
or
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory 

And/or ! Note, the setting shown in the 2 above links need still to be applied in the one below.
https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=[hidden email]
> ius.org] Namens ?????????????? ????????????????
> ?????????????????? via Freeradius-Users
> Verzonden: maandag 3 augustus 2020 15:49
> Aan: FreeRadius users mailing list
> CC: ?????????????? ???????????????? ??????????????????
> Onderwerp: Re: MSCHAPV2 + OpenLDAP
>
> Thanks. Maybe I need to configure the MSCHAP freeradius
> module for OpenLDAP authentication. I haven't figured out how yet )
> The ldap module is configured correctly
>
> 3 ??????. 2020 ??., ?? 16:42, Gregory Sloop
> <[hidden email]<mailto:[hidden email]>> ??????????????(??):
>
> Top posting.
> I don't use/involve freeradius for VPN on the Mac, but I
> certainly use MSChapv2 {with L2TP]. The native L2TP client on
> the Mac DOES NOT require Active Directory.
>
> I suspect you have some other problem.
>
>
>
> ??!vFU> It turns out that the vpn client macos only works with Active
> ??!vFU> Directory ? So Apple depends on Windows ? This is
> vendor lock )
>
>
> >> 3 ??????. 2020 ??., ?? 16:24, Sven Hartge
> <[hidden email]<mailto:[hidden email]>> ??????????????(??):
>
> >> On 03.08.20 15:04, ?????????????? ????????????????
> ?????????????????? via Freeradius-Users wrote:
>
> >>> I am trying to configure authentication via freeradius
> client VPN. Users in OpenLDAP . The problem is that the
> standard MacOS vpn client works via ms chap v2 (in the debut
> mode, I see the Client is using MS-CHAPv2). I would be
> grateful for help if someone had experience setting up in
> this configuration.
>
>
> >> Please read
> >>
> http://deployingradius.com/documents/protocols/compatibility.h
> tml<http://deployingradius.com/documents/protocols/compatibili
> ty.html> first
> >> to see if the way the password is stored in OpenLDAP is
> compatible with
> >> MS-CHAP.
>
> >> (Odds are, it isn't.)
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Users mailing list
I'm sorry, but the links refer to Active Directory and samba dc . I just don't have Active Directory. I only have OpenLDAP.

I'll keep thinking about solving this problem

3 авг. 2020 г., в 17:30, L.P.H. van Belle via Freeradius-Users <[hidden email]<mailto:[hidden email]>> написал(а):

I you recommend to use kerberos (or ntlm) and ldap only for the group memberships,

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: MSCHAPV2 + OpenLDAP

Users mailing list
So you have seen the examples for ldap then ;-)
Great,

Good luck.

 

> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=[hidden email]
ius.org] Namens ?????????????? ???????????????? ?????????????????? > via Freeradius-Users

> Verzonden: maandag 3 augustus 2020 16:48
> Aan: FreeRadius users mailing list
> CC: ?????????????? ???????????????? ??????????????????
> Onderwerp: Re: MSCHAPV2 + OpenLDAP
>
> I'm sorry, but the links refer to Active Directory and samba
> dc . I just don't have Active Directory. I only have OpenLDAP.
>
> I'll keep thinking about solving this problem
>
> 3 ??????. 2020 ??., ?? 17:30, L.P.H. van Belle via
> Freeradius-Users
> <[hidden email]<mailto:freeradius-users
@lists.freeradius.org>> ??????????????(??):
>
> I you recommend to use kerberos (or ntlm) and ldap only for
> the group memberships,
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Sven Hartge-5
In reply to this post by Users mailing list
On 03.08.20 16:48, Клеусов Владимир Сергеевич via Freeradius-Users wrote:

> I'm sorry, but the links refer to Active Directory and samba dc . I just don't have Active Directory. I only have OpenLDAP.
>
> I'll keep thinking about solving this problem

The solution is very simple: If you only have the hashed password of a
user in LDAP, then you can't use MSCHAP.

You need to have the clear or NTHASH password for that.

This is exactly what the documentation tells you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Users mailing list
cleartext is not suitable.
Is there an instruction for enabling nthash in openldap ?

> 3 авг. 2020 г., в 18:06, Sven Hartge <[hidden email]> написал(а):
>
> On 03.08.20 16:48, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
>
>> I'm sorry, but the links refer to Active Directory and samba dc . I just don't have Active Directory. I only have OpenLDAP.
>>
>> I'll keep thinking about solving this problem
>
> The solution is very simple: If you only have the hashed password of a
> user in LDAP, then you can't use MSCHAP.
>
> You need to have the clear or NTHASH password for that.
>
> This is exactly what the documentation tells you.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Martin Pauly
Am 03.08.20 um 20:04 schrieb Клеусов Владимир Сергеевич via Freeradius-Users:
> cleartext is not suitable.
sure, and not needed either.
> Is there an instruction for enabling nthash in openldap ?
In principle, yes -- but be careful. The ancient NTLM Hash is pretty close to cleartext in 2020,
so make sure nobody steals the hash.

1. Create an attribute conataining NTLMHash in your OpenLDAP schema, named e.g. MyNTPassword
2. Store your NT-hashed passwords there
3. In mods-available/ldap, there's already a well-prepared config line for you in the update{} section
    starting with control:NT-Password. On the right hand's side of this assignment, adjust the LDAP
    attribute Name e.g. to MyNTPassword an uncomment the line

The result looks similar to:

ldap {
         [...]
         update {
                 control:NT-Password             := 'MyNTPassword'
                 [...]
         }
        [...]
}

FR will pull the NTLM Hash from LDAP and perform the server side of the MS-CHAP authentication itself,
no Windows server needed.

HTH, Martin


--
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: [hidden email]
   D-35032 Marburg


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (7K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Users mailing list
Thanks.
I don't quite understand.
> 2. Store your NT-hashed passwords there
How do I do this ?


> 10 авг. 2020 г., в 20:10, Martin Pauly <[hidden email]> написал(а):
>
> Am 03.08.20 um 20:04 schrieb Клеусов Владимир Сергеевич via Freeradius-Users:
>> cleartext is not suitable.
> sure, and not needed either.
>> Is there an instruction for enabling nthash in openldap ?
> In principle, yes -- but be careful. The ancient NTLM Hash is pretty close to cleartext in 2020,
> so make sure nobody steals the hash.
>
> 1. Create an attribute conataining NTLMHash in your OpenLDAP schema, named e.g. MyNTPassword
> 2. Store your NT-hashed passwords there
> 3. In mods-available/ldap, there's already a well-prepared config line for you in the update{} section
>   starting with control:NT-Password. On the right hand's side of this assignment, adjust the LDAP
>   attribute Name e.g. to MyNTPassword an uncomment the line
>
> The result looks similar to:
>
> ldap {
>        [...]
>        update {
>                control:NT-Password             := 'MyNTPassword'
>                [...]
>        }
> [...]
> }
>
> FR will pull the NTLM Hash from LDAP and perform the server side of the MS-CHAP authentication itself,
> no Windows server needed.
>
> HTH, Martin
>
>
> --
>  Dr. Martin Pauly     Phone:  +49-6421-28-23527
>  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
>  Hans-Meerwein-Str.   E-Mail: [hidden email]
>  D-35032 Marburg
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAPV2 + OpenLDAP

Martin Pauly
Am 11.08.20 um 10:31 schrieb Клеусов Владимир Сергеевич via Freeradius-Users:
>> 2. Store your NT-hashed passwords there
> How do I do this ?

e.g. like this author recommends:
https://blog.atucom.net/2012/10/generate-ntlm-hashes-via-command-line.html

But you will need cleartext at some point. Actually, I see little use in
emplyoing a VPN solution that _only_ does MS-CHAPv2. As you can see,
you would need to convert all your passwords from _cleartext_.
IMO, you would be better off with a VPN solution that queries LDAP
directly or via RADIUS, but without fancy protocol diversions.

Greetings, Martin


--
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: [hidden email]
   D-35032 Marburg


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (7K) Download Attachment