[afnog] Cisco, Radius & LDAP Problem

Thato Molise info at datacom.co.ls
Thu Apr 20 09:59:50 EAT 2006


Oh, my LDAP version is openldap 2.0.27-17; Indeed I havent updated to a 
newer version, can that be the problem too?

regards,

T. Molise

Phone: (+266) 22312764/22317672/58850032/58997232
Fax: (+266) 22317672
Email: tmolise at datacom.co.ls
          tmolise at motech.co.ls
          info at datacom.co.ls
          info at motech.co.ls
          support at datacom.co.ls
          support at motech.co.ls

----- Original Message ----- 
From: "Brian Candler" <B.Candler at pobox.com>
To: "Thato Molise" <info at datacom.co.ls>
Cc: <afnog at afnog.org>
Sent: Wednesday, April 19, 2006 1:12 PM
Subject: Re: [afnog] Cisco, Radius & LDAP Problem


> On Wed, Apr 19, 2006 at 08:39:35AM +0200, Thato Molise wrote:
>>    I have implemented LDAP for my clients so that they can centrally be
>>    authenticated.
>>
>>    My dial-up clients are being authenticated through my router by Radius
>>    using LDAP.
>
> (Which RADIUS server are you running?)
>
>>    Now, I dont have a problem with my linux clients being authenticated,
>>    The problem comes when MS Windows clients are being authenticated,
>>    from my radius log file, I get the following error.
>>
>>    Mon Apr 17 17:42:11 2006 : Auth: rlm_ldap: Attribute "User-Password"
>>    is required for authentication. Cannot use "CHAP-Password".
>>
>>    I have been trying everything now, I have even tried to see my ldap
>>    mapping dictionary but I cant see where Im getting it wrong. Can
>>    somebody help?
>
> My guess is:
> - the Windows client is attempting CHAP authentication (rather than PAP)
> - your RADIUS server does not support CHAP when using an LDAP backend
>
> In order to perform CHAP authentication, the RADIUS server needs to have
> access to the *cleartext* password. In principle it could read this out of
> an LDAP attribute; however that's pretty nasty design, since anyone who
> breaks into that machine could use LDAP searches to read all the cleartext
> passwords out of the LDAP database!
>
> When implementing this at an ISP I worked at before, we modified the LDAP
> server so it would accept an LDAP BIND operation using passwords of the 
> form
>
>    :CHAP:<challenge>:<response>
>
> The LDAP server then checked that the challenge and response matched the
> given password stored in the database, without revealing what the password
> was. A successful BIND operation confirmed that the password was valid.
>
> It worked just fine, but this is not a standard mechanism, and we had to
> hack code.
>
> Another solution is to change the config on the RAS to refuse CHAP and 
> only
> accept PAP. Most Windows clients will then fallback to PAP. Those which
> don't will have to be reconfigured to allow PAP. The feasibility of this
> will depend on the size of your userbase.
>
> With PAP, you only need to store encrypted password hashes in your LDAP
> server, and the RADIUS server can use a standard LDAP BIND to check them.
> The downside is that the password is sent over-the-wire in cleartext from
> the client to the RAS, and from the RADIUS server to the LDAP server.
> (However it is encrypted between the RAS and the RADIUS server by means of
> the RADIUS shared secret)
>
> Regards,
>
> Brian. 




More information about the afnog mailing list