Switch authentication with Radius + LDAP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-25-2015 09:25 AM
Hello,
I'm trying to use Freeradius to authenticate the administrators who log into our Extreme switches (Summit X460 or X670)
If the login/password of the administrators are stored in cleartext on the Freeradius server (in the "users" file), it works perfectly.
But in real life, the administrators accounts are stored in an OpenLdap server. So the Freeradius server must do an LDAP request to verify the administrator password. On the LDAP server, the passwords are encrypted with NT-hash.
In this configuration (Freeradius + OpenLDap), i can't get the authentication to work properly.
When i do a tcpdump on the Freeradius server, i see that during authentication, the Extreme switch sends the administrator username, and the password encrypted with MD5 hash. I didn't find any reference in XOS documentation saying how the passwords are sent to the radius server, but it seems to be MD5 hash.
So i guess that with my configuration, it will never work because the freeradius server receives a MD5 hashed password and it must compare it with a NT hashed password...
Did someone tried to get authentication working in a configuration close to mine ? In your opinion is there a way to get this working ?
Thanks in advance for your help
Gabriel
I'm trying to use Freeradius to authenticate the administrators who log into our Extreme switches (Summit X460 or X670)
If the login/password of the administrators are stored in cleartext on the Freeradius server (in the "users" file), it works perfectly.
But in real life, the administrators accounts are stored in an OpenLdap server. So the Freeradius server must do an LDAP request to verify the administrator password. On the LDAP server, the passwords are encrypted with NT-hash.
In this configuration (Freeradius + OpenLDap), i can't get the authentication to work properly.
When i do a tcpdump on the Freeradius server, i see that during authentication, the Extreme switch sends the administrator username, and the password encrypted with MD5 hash. I didn't find any reference in XOS documentation saying how the passwords are sent to the radius server, but it seems to be MD5 hash.
So i guess that with my configuration, it will never work because the freeradius server receives a MD5 hashed password and it must compare it with a NT hashed password...
Did someone tried to get authentication working in a configuration close to mine ? In your opinion is there a way to get this working ?
Thanks in advance for your help
Gabriel
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-26-2015 08:36 AM
Let us know if you get it working. Or get stuck. We can help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-25-2015 01:05 PM
Gabriel,
The encryption from the switch(radius client) to the RADIUS server does not have the be the same as the LDAP bind to the LDAP server. These function separately to my knowledge. I have not setup Freeradius with Openldap yet but i did find some guides online if you would like to try them out. My apologies if you have already seen these links.
http://www.inspiredtechies.com/setup-freeradius-openldap-mysql-server/
http://ubuntuforums.org/showthread.php?t=1976883
Stephen
The encryption from the switch(radius client) to the RADIUS server does not have the be the same as the LDAP bind to the LDAP server. These function separately to my knowledge. I have not setup Freeradius with Openldap yet but i did find some guides online if you would like to try them out. My apologies if you have already seen these links.
http://www.inspiredtechies.com/setup-freeradius-openldap-mysql-server/
http://ubuntuforums.org/showthread.php?t=1976883
Stephen
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-25-2015 10:10 AM
I am not a radius expert but I am fairly sure you need the SSH.xmod to use any inscription other than MD5. I would expect that if you install the xmod it will open up some additional configuration options.
