I have Freeradius as a proxy working fine with MSCHAPv2. However, I now have to use EAP to encrypt to the home server. How can I configure freeradius to proxy non EAP MSCHAPv2 to EAP with MSCHAPv2?
Many thanks
You can't, FreeRADIUS cannot currently act as an EAP client, only as an EAP server.
Related
I want to force our office users to enter their LDAP credentials when connecting to the WiFi in our office. So I installed FreeRadius as instructed at:
Using FreeIPA and FreeRadius .
Using radtest, I can successfully authenticate against our FreeIPA server using PAP. Moving on I configured a WiFi connection on my Windows 10 laptop to use EAP-TTLS as the authentication method along with selecting PAP as the non-EAP method. Again I can successfully authenticate against our FreeIPA server when connecting to the WiFi AP. But I realize that is not safe since passwords are sent as clear-text.
So next I configured a WiFi connection on my Windows 10 laptop to use PEAP as the authentication method with EAP method of EAP-MSCHAP v2. But now authentication fails. An excerpt from the FreeRadius debug log shows:
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(8) mschap: Creating challenge hash with username: test55
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
I’m struggling to figure out a solution. I have found various configurations of eap, mschap & ldap files online but so far I have not solved my issue.
I’m not sure if I’m asking the right question but is the password hash sent by the Windows client incompatible with the password hash used by FreeIPA?
It turns out mschapv2 is a challenge response protocol, and that does not work with an LDAP bind in the basic configuration of FreeRadius.
However I did find a solution where FreeRadius looks up a user by their LDAP DN, then reads (not bind) the NTHash of the user. From there, FreeRADIUS is able to process the challenge response.
First permissions have to be given to service accounts:
https://fy.blackhats.net.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
After performing these steps users will need to change their password in order to generate an ipaNTHash.
Then configure FreeRadius to use mschapv2 with FreeIPA:
https://fy.blackhats.net.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
After completing all the steps described in both links, this radtest cli command should return an Access-Accept response.
radtest -t mschap <ldap-user-uid> <ldap-user-password> 127.0.0.1:1812 0 <FreeRadius-secret>
i have configured strongswan (ipsec) to send request to freeradius as eap-radius.
and i configured freeradius to send requests using proxy to another radius server. (IBSng).
but , ipsec sends as EAP and freeradius forwards the original request to ibsng. ibsng didn't understand EAP ! just need clear text password.
how can i translate EAP to clear-text password in proxy?
I am working on freeRADIUS v1.1.7-r0.0.2 with LDAP as backend for authenticating users.
I want to configure freeRADIUS server with certificates instead of using usernames and passwords.
How to configure RADIUS+LDAP using SASL/Certificate based binding ?
Please guide me how to achieve this,is there any help/doc how to configure LDAP SASL bind for RADIUS Server.
Support for SASL binding was recently added in v3.0.x, both for administrative binds, and user binds, it's not available in previous versions.
See the SASL sections in the config here
Certificated based binding has always been supported. It's configured with the certificate_file and private_key_file config items.
You cannot pass the SSL tunnel through from something like an EAP conversation.
I have an application using spring-security's OpenID implementation. The app server sits behind a proxy. The proxy is apache httpd with mod_proxy. If the proxy connects to the app server via HTTP, the application will tell the OpenID authenticator to redirect back via HTTP rather than HTTPS like I would prefer. It seems to pull the protocol dynamically and only sees HTTP. If I configure the proxy to use HTTPS, I run into this problem. So is there a way to operate spring security behind a proxy which uses HTTP?
A little extra mod_proxy and Glassfish configuration solved this problem for me:
https://serverfault.com/questions/496888/ssl-issue-with-mod-proxy
I cannot load HTTPS pages - I am getting page not found!
I guess this is related to the server.
What can I do to enable this?
Thanks
You can install this hotfix:
http://support.microsoft.com/kb/968730
Windows Server 2003 and Windows XP clients cannot obtain certificates
from a Windows Server 2008-based certification authority (CA) if the
CA is configured to use SHA2 256 or higher encryption
SSL Port was blocked by the firewall.
I added the port 443 to the windows firewall exceptions (TCP exception) and I managed to access the site using 'https://'