Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎01-28-2013

ssha pass on LDAP - FreeRadius - Aruba 802.1X WiFi

[ Edited ]

Hi

i've got a LDAP backend with SSHA passwords
FreeRadius as auth proxy and it is actually working (it auths VPN clients over OpenSwan)

 

I'm actually doing vlan derivation ( 802.1X ) using another Radius (Microsoft over Active Directory) but i would like to use my main auth facility (FreeRadius and OpenLDAP)

 

this is what i get from Radius, i cannot understand if is Aruba controller asking for NT/LM (i don't have it) or i've done something wrong on freeradius (i think i've not, it is actually working with openswan's vpn)

any idea ? can aruba support SSHA passwords on LDAP backend ?

Tue Oct 29 11:26:29 2013 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Tue Oct 29 11:26:29 2013 : Info: [mschapv2] +- entering group MS-CHAP {...}
Tue Oct 29 11:26:29 2013 : Info: [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
Tue Oct 29 11:26:29 2013 : Info: [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
Tue Oct 29 11:26:29 2013 : Info: [mschap] Creating challenge hash with username: mpistolesi
Tue Oct 29 11:26:29 2013 : Info: [mschap] Told to do MS-CHAPv2 for mpistolesi with NT-Password
Tue Oct 29 11:26:29 2013 : Info: [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
Tue Oct 29 11:26:29 2013 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Tue Oct 29 11:26:29 2013 : Info: ++[mschap] returns reject
Tue Oct 29 11:26:29 2013 : Info: [eap] Freeing handler
Tue Oct 29 11:26:29 2013 : Info: ++[eap] returns reject
Tue Oct 29 11:26:29 2013 : Info: Failed to authenticate the user.

 

Guru Elite
Posts: 20,018
Registered: ‎03-29-2007

Re: ssha pass on LDAP - FreeRadius - Aruba 802.1X WiFi

[ Edited ]

Marco.Pistolesi wrote:

Hi

i've got a LDAP backend with SSHA passwords
FreeRadius as auth proxy and it is actually working (it auths VPN clients over OpenSwan)

 

I'm actually doing vlan derivation ( 802.1X ) using another Radius (Microsoft over Active Directory) but i would like to use my main auth facility (FreeRadius and OpenLDAP)

 

this is what i get from Radius, i cannot understand if is Aruba controller asking for NT/LM (i don't have it) or i've done something wrong on freeradius (i think i've not, it is actually working with openswan's vpn)

any idea ? can aruba support SSHA passwords on LDAP backend ?

Tue Oct 29 11:26:29 2013 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Tue Oct 29 11:26:29 2013 : Info: [mschapv2] +- entering group MS-CHAP {...}
Tue Oct 29 11:26:29 2013 : Info: [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
Tue Oct 29 11:26:29 2013 : Info: [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
Tue Oct 29 11:26:29 2013 : Info: [mschap] Creating challenge hash with username: mpistolesi
Tue Oct 29 11:26:29 2013 : Info: [mschap] Told to do MS-CHAPv2 for mpistolesi with NT-Password
Tue Oct 29 11:26:29 2013 : Info: [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
Tue Oct 29 11:26:29 2013 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Tue Oct 29 11:26:29 2013 : Info: ++[mschap] returns reject
Tue Oct 29 11:26:29 2013 : Info: [eap] Freeing handler
Tue Oct 29 11:26:29 2013 : Info: ++[eap] returns reject
Tue Oct 29 11:26:29 2013 : Info: Failed to authenticate the user.

 


Unfortunately, to do 802.1x with MSChapv2, your passwords need to be encrypted with NTLM or Open (not encrypted).  SHA-Encrypted passwords cannot do MSCHAPV2, unfortunately:

 

http://deployingradius.com/documents/protocols/compatibility.html

 

By the way, Microsoft passwords are encrypted with NTLM.

 

SHA-Encrypted passwords can be done on Aruba, but you need to run EAP-GTC, instead of MSCHAPv2.  That would mean installing a custom supplicant on all of your clients, unfortunately.  The "easiest" way would be to migrate all your users to AD..

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 9
Registered: ‎01-28-2013

Re: ssha pass on LDAP - FreeRadius - Aruba 802.1X WiFi

you are telling me that it is the client the one asking for MSCHAPv2, did i understood it right ?

 

if so i have another question: my clients are 95% Mac OSX, they can authenticate using SSHA and they are actually doing on the file server ( afp share -> netatalk -> ldap with ssha) and VPN (default OSX client -> l2tp -> openswan -> radius -> ldap) do you know if there's a way to force them using SSHA instead MSCHAPv2 whithout install a custom supplicant ? as you wrote before i undertsood no, is it right ?

Guru Elite
Posts: 20,018
Registered: ‎03-29-2007

Re: ssha pass on LDAP - FreeRadius - Aruba 802.1X WiFi


Marco.Pistolesi wrote:

you are telling me that it is the client the one asking for MSCHAPv2, did i understood it right ?

 

if so i have another question: my clients are 95% Mac OSX, they can authenticate using SSHA and they are actually doing on the file server ( afp share -> netatalk -> ldap with ssha) and VPN (default OSX client -> l2tp -> openswan -> radius -> ldap) do you know if there's a way to force them using SSHA instead MSCHAPv2 whithout install a custom supplicant ? as you wrote before i undertsood no, is it right ?


All clients support MsChapv2.  That is because active directory is so pervasive.

 

If 95% of your clients are MACs, they support EAP-GTC, so you could:

 

1.  Configure an LDAP server on the controller to point directly to your LDAP server internally (no need for FreeRadius) - Go to Configuration> Security> Authentication> LDAP Server to set this up on an Aruba Controller

2.  Test the LDAP server on the Aruba Controller by going to Diagnostics> AAA Test Server on the Aruba Controller and test a valid username and password.  Make sure it works before preceding to the next step.

3.  Setup a different SSID using the WLAN/LAN Wizard and point it to your LDAP server.  It should automatically enable EAP-Termination on the Aruba Controller.  You can go back in the 802.1x profile and ensure that the termination type is EAP-GTC.

4.  When the SSID is broadcast, you can just click on it with your mac, and it will ask you for your username and password and it should work.  No Freeradius is necessary, because MACs support EAP-GTC.  As you can see from the chart here:  http://deployingradius.com/documents/protocols/compatibility.html EAP-GTC has the best support for types of encrypted passwords.  Unfortunately, outside of macs, it has limited support (some mobile devices like Android and IOS do support it, but Windows requires a supplicant).

 

A how-to on how to ensure that EAP-GTC is configured is here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-406

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 9
Registered: ‎01-28-2013

Re: ssha pass on LDAP - FreeRadius - Aruba 802.1X WiFi

... so i'm loosing compatibility with the 5% of win pc (5% of 500 computers)

You can have your cake, or you can eat it.  "

i think i'm going to migrate to NT / LM and support SMB instead of AFP (that was the reason for SSHA) 

thank for your help !

Guru Elite
Posts: 20,018
Registered: ‎03-29-2007

Re: ssha pass on LDAP - FreeRadius - Aruba 802.1X WiFi

5% of 500 is a big number.  Hopefully you can get this figured out.  Good Luck!

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: