https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39741#M2348 Nice work Gabriel and thanks for circling back to the Hub Community to tell us how you solved it. Good stuff! Thu, 26 Nov 2015 16:36:00 GMT Ryan_Mathews 2015-11-26T16:36:00Z https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39735#M2342 Hello,<BR /> <BR /> I'm trying to use Freeradius to authenticate the administrators who log into our Extreme switches (Summit X460 or X670)<BR /> If the login/password of the administrators are stored in cleartext on the Freeradius server (in the "users" file), it works perfectly.<BR /> But in real life, the administrators accounts are stored in an OpenLdap server. So the Freeradius server must do an LDAP request to verify the administrator password. On the LDAP server, the passwords are encrypted with NT-hash. <BR /> In this configuration (Freeradius + OpenLDap), i can't get the authentication to work properly.<BR /> When i do a tcpdump on the Freeradius server, i see that during authentication, the Extreme switch sends the administrator username, and the password encrypted with MD5 hash. I didn't find any reference in XOS documentation saying how the passwords are sent to the radius server, but it seems to be MD5 hash.<BR /> <BR /> So i guess that with my configuration, it will never work because the freeradius server receives a MD5 hashed password and it must compare it with a NT hashed password...<BR /> <BR /> Did someone tried to get authentication working in a configuration close to mine ? In your opinion is there a way to get this working ?<BR /> <BR /> Thanks in advance for your help<BR /> Gabriel Wed, 25 Nov 2015 17:25:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39735#M2342 Gabriel3 2015-11-25T17:25:00Z https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39736#M2343 I am not a radius expert but I am fairly sure you need the SSH.xmod to use any inscription other than MD5. I would expect that if you install the xmod it will open up some additional configuration options. Wed, 25 Nov 2015 18:10:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39736#M2343 davidj_cogliane 2015-11-25T18:10:00Z https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39737#M2344 Gabriel,<BR /> <BR /> The encryption from the switch(radius client) to the RADIUS server does not have the be the same as the LDAP bind to the LDAP server. These function separately to my knowledge. I have not setup Freeradius with Openldap yet but i did find some guides online if you would like to try them out. My apologies if you have already seen these links.<BR /> <BR /> <A href="http://www.inspiredtechies.com/setup-freeradius-openldap-mysql-server/" target="_blank" rel="nofollow noreferrer noopener">http://www.inspiredtechies.com/setup-freeradius-openldap-mysql-server/</A><BR /> <BR /> <A href="http://ubuntuforums.org/showthread.php?t=1976883" target="_blank" rel="nofollow noreferrer noopener">http://ubuntuforums.org/showthread.php?t=1976883</A><BR /> <BR /> Stephen<BR /> Wed, 25 Nov 2015 21:05:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39737#M2344 StephenW 2015-11-25T21:05:00Z https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39738#M2345 Hello,<BR /> <BR /> @David : yes i already have ssh xmod installed on the switch. Administrators log into the switches using SSH. However when the switches passes the password to the radius server, it uses the "User-Password" Radius Attribute, which is based on MD5 hash<BR /> <BR /> @Stephen : thanks for the links, i'm going to read that<BR /> <BR /> Gabriel<BR /> Thu, 26 Nov 2015 16:36:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39738#M2345 Gabriel3 2015-11-26T16:36:00Z https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39739#M2346 Let us know if you get it working. Or get stuck. We can help. <BR /> Thu, 26 Nov 2015 16:36:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39739#M2346 StephenW 2015-11-26T16:36:00Z https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39740#M2347 Hello,<BR /> <BR /> Actually, i got it working.<BR /> I thought that when an administrator log into a switch that was configured for Radius authentication, the switch sent an MD5-encrypted password to the Radius server, but it's not true.<BR /> As described in <A href="http://freeradius.org/rfc/rfc2865.html#User-Password" target="_blank" rel="nofollow noreferrer noopener">http://freeradius.org/rfc/rfc2865.html#User-Password</A>, actually the switch makes a MD5 hash of the shared secret + "authenticator" radius attribute, and then it XORes this with the password. And it sends this result to the Radius server.<BR /> On the Radius side, the Radius server knows the shared secret, the authenticator attribute (it is sent in the Radius message), so it can make the reverse operation : MD5 hash of (shared secret + authenticator) + XOR with the encrypted password, and therefore it finds the clear-text password of the administrator.<BR /> Once the Radius server has the cleartext password, it can encrypt it again in any form (NT hash, MD5 hash, Unix Crypt...) depending on how passwords are encrypted in the database (LDAP or AD server for example)<BR /> I couldn't get this to work just because i hade made mistakes in my Freeradius configuration files, it had nothing to do with encryption problems<BR /> <BR /> Thanks again guys for your help<BR /> Gabriel<BR /> <BR /> Thu, 26 Nov 2015 16:36:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39740#M2347 Gabriel3 2015-11-26T16:36:00Z https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39741#M2348 Nice work Gabriel and thanks for circling back to the Hub Community to tell us how you solved it. Good stuff! Thu, 26 Nov 2015 16:36:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39741#M2348 Ryan_Mathews 2015-11-26T16:36:00Z https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39742#M2349 Gabriel thanks for letting everyone know how you got it working!<BR /> <BR /> Thu, 26 Nov 2015 16:36:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/switch-authentication-with-radius-ldap/m-p/39742#M2349 StephenW 2015-11-26T16:36:00Z