Community discussions

MikroTik App
 
Pengwyn
just joined
Topic Author
Posts: 1
Joined: Mon May 02, 2022 12:18 am

Login with freeradius -> openldap

Mon May 02, 2022 12:31 am

Hi,

I have recently moved to using Mikrotik hardware and have really enjoyed configuring the products, but have come upon a stumbling block that I cannot work out.

My setup is that I have openldap running with SSHA hashed passwords for users in the ldap database.
I am also running freeradius as a radius proxy to openldap because Mikrotik does not support ldap and only supports radius, so ok, use freeradius as a proxy.
However when trying to login to the router when radius is activated, the freeradius debugging says that auth type mschap found. Now this sounds wrong, I have not configured mschap on my router, nor do I believe that mschap will work with hashed passwords from openldap as the radius server itself will never have a plaintext password to hash/compare if using mschap.

Storing user passwords in plaintext is an absolute no-go, however using PAP over radsec is fine.

How can I go about setting this situation?

If not, then in future releases can we please have the option of using PAP+radsec instead of mschap for radius login? Or even better, direct ldap login option? It seems bizarre to only have a single option that does not work in a variety of cases for centralized AAA.

Thanks
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Login with freeradius -> openldap

Tue May 03, 2022 11:07 pm

I can't recall what was used previously, from the changelog...
MAJOR CHANGES IN v6.43:
!) radius - use MS-CHAPv2 for "login" service authentication;

I suspect transporting plain-text credentials over plain RADIUS only protected by a simple secret was considered a bad idea. You are correct that MSCHAPv2 requires plaintext or a suitable plaintext equivalent at the server - in particular the NT hash of a password, as available in an Active Directory setup, is suitable. Storing plaintext credentials at rest on the server obviously has risks, there are workarounds such as reversible encryption with the key stored in a hardware security module.

You could make a feature request to Mikrosoft to make the login method configurable if using RadSec, although the current approach is unlikely to change any time soon unless there is a huge demand. One approach would be store also store the NT password hash in OpenLDAP and restrict access on that to the RADIUS server.

Who is online

Users browsing this forum: BrianTax, rplant and 64 guests