[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Enterasys Wireless controller with Mgmt user authentication via RADIUS MSCHAP
From: Alan Alejandro Villaverde <alan.villaverde () gmail ! com>
Date: 2014-10-30 17:31:37
Message-ID: CAB3yt=K0oFe=ifrHHimvdFu3RRfre8pR68s9ExfwARqsB1D-ng () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Understood! Thanks for your support and time guys!
2014-10-30 11:49 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
> Alan Alejandro Villaverde wrote:
> > The only way I found to make it works is setting the following lines in
> > the user file:
> >
> > vi users:
> >
> > avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"
>
> Don't do that. You were told to not do that. It's not necessary.
> It's wrong.
>
> > It works, but how do you handle 1000 users for example? It turns very
> > difficult to manage the user passwords.
>
> You put the passwords in a database. That's what databases are for,
>
> > For instance, if the user change the password in the linux box, then you
> > need to edit the users file to replicate that password.
>
> i.e. you store the passwords in 2 places, so when the password
> changes, it has to be changed in both places.
>
> That's not a surprise.
>
> > I have running tacacs+ in the same box, and the user only has to use an
> > unique password for radius and tacacs defined by passwd. I am using PAM
> > authentication for this.
>
> I have no idea what that means.
>
> > On the other hand, If I work with PAP I can handle the users like a
> > Linux user, so the managament is easier and it depends on the final
> > user. The user can access the linux box and change his password with a
> > simple passwd and all is replicated for tacacs and freeradius. It is the
> > way how is working today, but I was requested to set MSCHAP
> > authentication due to security audits.
>
> MS-CHAP isn't much more secure than PAP.
>
> > When user try to access wireless controller, he puts his password and
> > then radius checks the password with the passwd file or shadow file
> > without any necesity of "editing radius users file"
>
> MS-CHAP is incompatible with /etc/passwd. It's impossible to use them
> both.
>
> > I think I am missing something regarding how to set MSCHAP
> > authentication, and that radius checks the password without using
> > Cleartext-Password in the USERS file.
>
> The server doesn't care where it gets the password from. It doesn't
> matter if it's the "users" file, a database, or anywhere else.
>
> The server DOES care about the format of the password. MS-CHAP
> requires clear-text passwords, *or* NT hashed passwords. Neither format
> can be stored in /etc/passwd.
>
> It's impossible to "work around" this. Don't even try.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Alan Alejandro Villaverde.
,JL.
j@, Zv
uJ.u@qJ
:LBO:v1
:r1@ MB
G1 rB8Ur ,
r@Ei O .7 @.
:N,:BBO05v,:, :7 u Or
vM@r:E: rqr,: .v X Or
7@r v@U ,@::: 5 .L M:
YO:2@OS. . .7: N iP
Y@riBr ,:i::: :q ,q.
qk :ii YO.
iv7r77r iGF :7v7
:u0u. 7Lj ;5k1r7BN
7P552552v: LUM1, 7FUi:..v@B
ik7JMJ. ..,v@rk.
_..._ Y8. vL: .5@v E.
.' '. ui,N: .G.O@: @
/ _ _ \ .P: J7LEBO Bi
| (o)_(o) | .1 i@B7 .MU
\( ) / 2 :M@u .uMi
//'._.'\ \ :k :U@BOi:vSM2B
// . \ \ 7E@B@B@O8PrMk ;B
|| . \ \ @: @r
|\ : / | EM. ;@
\ `) ' (` /_ .B7 0L
_)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB@B@B@
) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB@B@B@B@B@B@
'---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO@B@B@B@B@@@B@B@B@B
:i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ...
[Attachment #5 (text/html)]
<div dir="ltr">Understood! Thanks for your support and time guys!<br></div><div \
class="gmail_extra"><br><div class="gmail_quote">2014-10-30 11:49 GMT-03:00 Alan \
DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" \
target="_blank">aland@deployingradius.com</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class="">Alan Alejandro Villaverde wrote:<br> > The \
only way I found to make it works is setting the following lines in<br> > the user \
file:<br> ><br>
> vi users:<br>
><br>
> avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"<br>
<br>
</span> Don't do that. You were told to not do that. It's not \
necessary.<br> It's wrong.<br>
<span class=""><br>
> It works, but how do you handle 1000 users for example? It turns very<br>
> difficult to manage the user passwords.<br>
<br>
</span> You put the passwords in a database. That's what databases are \
for,<br> <span class=""><br>
> For instance, if the user change the password in the linux box, then you<br>
> need to edit the users file to replicate that password.<br>
<br>
</span> i.e. you store the passwords in 2 places, so when the password<br>
changes, it has to be changed in both places.<br>
<br>
That's not a surprise.<br>
<span class=""><br>
> I have running tacacs+ in the same box, and the user only has to use an<br>
> unique password for radius and tacacs defined by passwd. I am using PAM<br>
> authentication for this.<br>
<br>
</span> I have no idea what that means.<br>
<span class=""><br>
> On the other hand, If I work with PAP I can handle the users like a<br>
> Linux user, so the managament is easier and it depends on the final<br>
> user. The user can access the linux box and change his password with a<br>
> simple passwd and all is replicated for tacacs and freeradius. It is the<br>
> way how is working today, but I was requested to set MSCHAP<br>
> authentication due to security audits.<br>
<br>
</span> MS-CHAP isn't much more secure than PAP.<br>
<span class=""><br>
> When user try to access wireless controller, he puts his password and<br>
> then radius checks the password with the passwd file or shadow file<br>
> without any necesity of "editing radius users file"<br>
<br>
</span> MS-CHAP is incompatible with /etc/passwd. It's impossible to use \
them<br> both.<br>
<span class=""><br>
> I think I am missing something regarding how to set MSCHAP<br>
> authentication, and that radius checks the password without using<br>
> Cleartext-Password in the USERS file.<br>
<br>
</span> The server doesn't care where it gets the password from. It \
doesn't<br> matter if it's the "users" file, a database, or \
anywhere else.<br> <br>
The server DOES care about the format of the password. MS-CHAP<br>
requires clear-text passwords, *or* NT hashed passwords. Neither format<br>
can be stored in /etc/passwd.<br>
<br>
It's impossible to "work around" this. Don't even try.<br>
<span class="HOEnZb"><font color="#888888"><br>
Alan DeKok.<br>
</font></span><div class="HOEnZb"><div class="h5">-<br>
List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html" \
target="_blank">http://www.freeradius.org/list/users.html</a><br> \
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div \
class="gmail_signature"><div dir="ltr">Alan Alejandro Villaverde. <br><pre><font \
size="3"><span style="white-space:pre-wrap"> ,JL. \
j@, Zv uJ.u@qJ
:LBO:v1
:r1@ MB
G1 rB8Ur ,
r@Ei O .7 @.
:N,:BBO05v,:, :7 u Or
vM@r:E: rqr,: .v X Or
7@r v@U ,@::: 5 .L M:
YO:2@OS. . .7: N iP
Y@riBr ,:i::: :q ,q.
qk :ii YO.
iv7r77r iGF :7v7
:u0u. 7Lj ;5k1r7BN
7P552552v: LUM1, 7FUi:..v@B
ik7JMJ. ..,v@rk.
_..._ Y8. vL: .5@v E.
.' '. ui,N: .G.O@: @
/ _ _ \ .P: J7LEBO Bi
| (o)_(o) | .1 i@B7 .MU
\( ) / 2 :M@u .uMi
//'._.'\ \ :k :U@BOi:vSM2B
// . \ \ 7E@B@B@O8PrMk ;B
|| . \ \ @: @r
|\ : / | EM. ;@
\ `) ' (` /_ .B7 0L
_)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB@B@B@ \
) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB@B@B@B@B@B@
'---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO@B@B@B@B@@@B@B@B@B
:i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. \
...</span></font><font face="Times New Roman" size="3"><span \
style="white-space:pre-wrap"><br></span></font></pre></div></div> </div>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic