Hi All,
Recently we would like to extend 389DS user into Radius for account authorization and authentication (WiFi with WPA-Enterprise, Portal and etc)
It seems like Freeradius only work with ClearText Password, i.e it cannot read password attribute userPassword with SHA-HASHed.
Anyone has workaround and idea on this?
We have freeradius setup, and it seems it doesnt work with MSCHAPv2 ;(
-- Ozikat.
On 03/11/15 13:36, ozikat wrote:
Recently we would like to extend 389DS user into Radius for account authorization and authentication (WiFi with WPA-Enterprise, Portal and etc)
It seems like Freeradius only work with ClearText Password, i.e it cannot read password attribute userPassword with SHA-HASHed.
Anyone has workaround and idea on this?
We have freeradius setup, and it seems it doesnt work with MSCHAPv2 ;(
In order to use MSCHAPv2 with any combination of RADIUS daemon and LDAP server you have to store plaintext passwords (or NT-Password Hashes) in your backend. This is not a limitation of freeradius or 389. It's by design. http://deployingradius.com/documents/protocols/compatibility.html
J.
Good day Jochen,
Read about that, just wondering anyone got it work with PassSync + NT-Password hashed.
Or how to store the Password passed on by PassSync into plain text?
-- Ozikat.
On 11/3/15 22:48, Jochen Schneider wrote:
On 03/11/15 13:36, ozikat wrote:
Recently we would like to extend 389DS user into Radius for account authorization and authentication (WiFi with WPA-Enterprise, Portal and etc)
It seems like Freeradius only work with ClearText Password, i.e it cannot read password attribute userPassword with SHA-HASHed.
Anyone has workaround and idea on this?
We have freeradius setup, and it seems it doesnt work with MSCHAPv2 ;(
In order to use MSCHAPv2 with any combination of RADIUS daemon and LDAP server you have to store plaintext passwords (or NT-Password Hashes) in your backend. This is not a limitation of freeradius or 389. It's by design. http://deployingradius.com/documents/protocols/compatibility.html
J.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 03/11/15 17:08, ozikat wrote:
Read about that, just wondering anyone got it work with PassSync + NT-Password hashed.
Or how to store the Password passed on by PassSync into plain text?
Mhhh, you can either change passwordStorageScheme to "CLEAR" (not recomended) or write the plaintext password to another attribute and only allow the radius bind DN to access it. The attribute that passsync updates can be configured in the Windows registry under "HKEY_LOCALMACHINE\Passsync\Password Field".
If you have all your accounts in AD anyway you could also use freeradius with samba/ntlm_auth like so: http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW...
J.
Jochen,
Great idea, I will work on Samba auth.
-- Paul Ooi
On 11/4/15 03:35, Jochen Schneider wrote:
On 03/11/15 17:08, ozikat wrote:
Read about that, just wondering anyone got it work with PassSync + NT-Password hashed.
Or how to store the Password passed on by PassSync into plain text?
Mhhh, you can either change passwordStorageScheme to "CLEAR" (not recomended) or write the plaintext password to another attribute and only allow the radius bind DN to access it. The attribute that passsync updates can be configured in the Windows registry under "HKEY_LOCALMACHINE\Passsync\Password Field".
If you have all your accounts in AD anyway you could also use freeradius with samba/ntlm_auth like so: http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW...
J.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
Jochen Schneider -
ozikat