Can I use with Radius + LDAP passwords in md5

Posted on 2010-03-25
Medium Priority
Last Modified: 2012-08-13
I want to use radius to work with cisco ipsec. User accounts stored in ldap. Passwords are stored in a ldap md5. In the config Radius found such a restriction:

        #  However, LDAP can be used for authentication ONLY when the
        #  Access-Request packet contains a clear-text User-Password
        #  attribute.  LDAP authentication will NOT work for any other
        #  authentication method.
        #  This means that LDAP servers don't understand EAP.  If you
        #  force "Auth-Type = LDAP", and then send the server a
        #  request containing EAP authentication, then authentication
        #  WILL NOT WORK.

Q - Can I use with Radius + LDAP passwords in md5?
Question by:mik0s
  • 5
  • 4
LVL 41

Expert Comment

ID: 28661247
Not for EAP or most modern authentication mechanisms...

IF your password goes over the wire/air UNENCRYPTED it can be stored encrypted.  this seems not to be desirable.

IF your password is hashed together with other info at the source,
then to compare the same must be done on the destination the other info included might be time or knowledge about the link (source & destination IP address)  etc. all are common at both ends.
to be able to do that REQUIRES an unencrypted password (in storage).

Therefore you cannot use an MD5 password with an modern authentication mechanism.

Password stores nowadays aren't flat files anymore that were visible to everybody.  So the protection of stored data can be achieved in a different way.
And the networked medium arguably is much easier to tap then a straight cable.

Author Comment

ID: 28662095
But store passwords in the clear as it seems to me very badly. What do I do?
LVL 41

Expert Comment

ID: 28663923
If you store the password in LDAP then you can store the files on an encrypted filesystem if you like.  You have to manage proper security on the access to the data. LDAP can help you can restrict access to a field in ldap based on credentials.
In the past the password files were public readable (there was more info there that was needed afterwards by other processes) this was alleviated when the shadow password file came to use.
LDAP should protect access to your passwords. If your system is for general use you can think about moving LDAP to a specialized identity server (a system that ONLY runs LDAP and is only accessible for systems management) Could be done in a 4-eyes principle if needed.

The alternative to storing password unencrypted is to send them unencrypted over the wire when authenticating... that's even more undesirable.
Security is never absolute.
Your password is only secure in a system if you turn the power off and pour the system under concrete. But its not usable anymore.
It's a scale and it's about risk management. Who do you trust more:
Your company personel or any person from the street. (Again there is no absolute trust).
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!


Author Comment

ID: 28664917
I understand that, but I can not store the passwords in clear text in LDAP, because they use other software, which can not work with clear text passwords.
In this case, what mechanism should I use on Cisco Air?
LVL 41

Expert Comment

ID: 28696264
Right, but it is a restriction by some other application, it is not a restirction for LDAP.
If you need to authenticate to LDAP it doesn't matter what password you put there it can handle a lot of different methods.

You might need to configure a different field as the "password for network access" field which is not encrypted.
People do have two passwords then.

Author Comment

ID: 28863266
Ok, thanks, I already considered that variant, but would like to see someone this limitation - freeradius? It may be another Radius server to use, which has no such restriction?
LVL 41

Accepted Solution

noci earned 2000 total points
ID: 28881217
The limitation is not the radius implementation it is the method how authentication happens...

EAP works like this:

Both sides generate a random number and both exchange that, and both agree on an encryption & signing method.

The initiator:
Agrees with the other on a random string of bits (sometimes named 'cookie' or 'salt') which is used to randomize the signing.
The password, or known secret, is then pulled through a md5/sha1 together with the salt.
The hashed password is sent over the wire after encrypting it with available keys (public/private, or symmetric).

The receiving end can then ONLY decrypt until the it has the hashed password. (this decryption certifies the other end to a degree, because it must have the private key or knowns the symmetric key)
It also has the the salt and IT HAS the known secret., Using the salt + known secret it can generate an identical hash as the initiator did. If the hashes match it is considered proof of identity...

If one side only has the MD5 stored, the random string must be known in advance (and it must stay fixed...). This is also with passwords stored in the password file the salt is generated from the username + a random value. That random value is prefixed in an md5 password.

The technique used (EAP) means that the password MUST BE available in clear text form at BOTH sides of a channel. So if you dont want to do that you need to find something else then EAP to be used. whichever software you used it's the authentication mechanism that demands this.
(That is allready so when using CHAP in ppp. pap sends the password unencrypted over the wire while chap more less works like EAP, it only doesn't use certificates.)

If you compare this to f.e. CISCO then the passwords are not encrypted, they are only obfusciated. Tools do exist make a password readable again from the obfusciated one, the cisco algorithm is slightly better then rot-13.

The public key is extracted from a certificate

Author Comment

ID: 28884852
These theme seems very difficult to me. I'm afraid I don't understand all you wrote about.
Maybe you can recommend me a good book about it?
LVL 41

Expert Comment

ID: 28912614
Please lookup the documents mentioned in the reference section of the Article:

Also check this article about pap&chap (the precursors for EAP).

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question