[afnog] Cisco, Radius & LDAP Problem

Brian Candler B.Candler at pobox.com
Wed Apr 19 14:12:48 EAT 2006 

On Wed, Apr 19, 2006 at 08:39:35AM +0200, Thato Molise wrote:
>    I have implemented LDAP for my clients so that they can centrally be
>    authenticated.
> 
>    My dial-up clients are being authenticated through my router by Radius
>    using LDAP.

(Which RADIUS server are you running?)

>    Now, I dont have a problem with my linux clients being authenticated,
>    The problem comes when MS Windows clients are being authenticated,
>    from my radius log file, I get the following error.
> 
>    Mon Apr 17 17:42:11 2006 : Auth: rlm_ldap: Attribute "User-Password"
>    is required for authentication. Cannot use "CHAP-Password".
> 
>    I have been trying everything now, I have even tried to see my ldap
>    mapping dictionary but I cant see where Im getting it wrong. Can
>    somebody help?

My guess is:
- the Windows client is attempting CHAP authentication (rather than PAP)
- your RADIUS server does not support CHAP when using an LDAP backend

In order to perform CHAP authentication, the RADIUS server needs to have
access to the *cleartext* password. In principle it could read this out of
an LDAP attribute; however that's pretty nasty design, since anyone who
breaks into that machine could use LDAP searches to read all the cleartext
passwords out of the LDAP database!

When implementing this at an ISP I worked at before, we modified the LDAP
server so it would accept an LDAP BIND operation using passwords of the form

    :CHAP:<challenge>:<response>

The LDAP server then checked that the challenge and response matched the
given password stored in the database, without revealing what the password
was. A successful BIND operation confirmed that the password was valid.

It worked just fine, but this is not a standard mechanism, and we had to
hack code.

Another solution is to change the config on the RAS to refuse CHAP and only
accept PAP. Most Windows clients will then fallback to PAP. Those which
don't will have to be reconfigured to allow PAP. The feasibility of this
will depend on the size of your userbase.

With PAP, you only need to store encrypted password hashes in your LDAP
server, and the RADIUS server can use a standard LDAP BIND to check them.
The downside is that the password is sent over-the-wire in cleartext from
the client to the RAS, and from the RADIUS server to the LDAP server.
(However it is encrypted between the RAS and the RADIUS server by means of
the RADIUS shared secret)

Regards,

Brian.

More information about the afnog mailing list