[strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?

Michael Schwartzkopff ms at sys4.de
Wed Jan 10 18:57:33 CET 2018


Am 10.01.2018 um 04:39 schrieb RA:
> Hi.
>
> Thanks for your reply.  'NT-Password'  isn't working with Strongswan
> though radtest is checking it just fine:
>
> # smbencrypt mypass
> LM Hash                                 NT Hash
> --------------------------------        --------------------------------92315C8B485693A7AAD3B435B51404EE        E0C32CDA6F6ECC163F442D002BBA3DAF
>
> # INSERT INTO radcheck (username, attribute, op, VALUE) VALUES
> # ('mylogin', 'NT-Password', ':=', 'E0C32CDA6F6ECC163F442D002BBA3DAF');
>
> # radtest mylogin mypass my.radius.server 10 mysecret
> Sending Access-Request of id 237 to x.x.x.x port 1812
>         User-Name = "mylogin"
>         User-Password = "mypass"
>         NAS-IP-Address = x.x.x.x
>         NAS-Port = 10
>         Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host x.x.x.x port 1812, id=237, length=20
> Do I need to make any changes on the radius or Strongswan side to make
> them work with NT-Password?
> Thanks & Regards,
> Ron

Hi,

this depends on your config. Does your client offer "ms-chapv2" as auth
mech? Perhaps it is better to use EAP (eap-radius in strongswan).

For debugging please look at the output of radiusd -X. Or paste the
output here.


> ----- Original message -----
> From: Giuseppe De Marco <giuseppe.demarco at unical.it>
> To: RA <ss17 at fea.st>
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?Date: Tue, 9 Jan 2018 15:46:04 +0100
>
> Hi RA,
> Yes you can, I use NT-Password instead.
> I get this working on LDAP and Freeradius 
>
> 2018-01-09 14:07 GMT+01:00 RA <ss17 at fea.st>:
>> Hi.
>>
>>  I have been able to follow the guides and tutorials online and
>>  successfully setup a Strongswan IKEv2 server which authenticates with
>>  a Freeradius server with MySQL back-end. Everywhere I saw
>>  instructions like these only:> 
>>  INSERT INTO radcheck (username, attribute, op, VALUE) VALUES ('test',
>>  'Cleartext-Password', ':=', 'pass123');> 
>>  Now this works just fine but I don't want to store plain text
>>  passwords in database and would prefer the "VALUE" column to be
>>  hashed in some way. But being new to this, I just don't know how &
>>  would be really glad if someone can provide pointers. Not sure
>>  whether its even possible or not.> 
>>  Thanks in advance.
>>
>>  Regards.
>>  Ron
>

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180110/849e5802/attachment.sig>


More information about the Users mailing list