Support NTLMv1 authentication for RADIUS (MSCHAP)
This merge request implements an API endpoint to do NTLM authentication, as used in the MS-CHAP protocol family.
Specifically, it adds:
- A data model to store an NTLM hash of the user's password
- A preference to automatically keep the NTLM hash updated through password changes
- An API endpoint taking the inputs for NTLMv1 challenge-response authentication and returning an NTLM user session key
- The endpoint also accepts a plain password, to verify authentication when using PAP
In essence, this means we can now back FreeRADIUS for PEAP+MSCHAPv2 authentication to do WPA Enterprise (802.1x) on Wifi access points, by simply replacing FreeRADIUS' ntlm_auth
script that normally talks to Samba or Microsoft Active Directory with a simple curl
command.
Practically, this means we can now support Windows and iOS devices in WPA-Enterprise wifi networks without resorting to Active Directory or even Samba.
root@frifot:/etc/freeradius/3.0# grep curl mods-enabled/mschap
ntlm_auth = "/usr/bin/curl --netrc-file /etc/freeradius/curl.netrc -s --fail-with-body -X POST -F username='%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' -F challenge='%{%{mschap:Challenge}:-00}' -F response='%{%{mschap:NT-Response}:-00}' http://localhost:8000/app/kompjuter/api/ntlm_auth/"
Et voila:
❯ radtest -t mschap nik Pinguin123 localhost:18120 0 testing123
Sent Access-Request Id 56 from 0.0.0.0:60168 to 127.0.0.1:18120 length 129
User-Name = "nik"
MS-CHAP-Password = "Pinguin123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "Pinguin123"
MS-CHAP-Challenge = 0x3c9bc0d40779cc49
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000006900b6edc749a59be7f610a086eca1807e5c77a69c79934e
Received Access-Accept Id 56 from 127.0.0.1:18120 to 127.0.0.1:60168 length 84
MS-CHAP-MPPE-Keys = 0x0000000000000000c1bde530ae5f68e82f20705268976fc0
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
with FreeRADIUS talking directly to AlekSIS' API:
(4) authenticate {
(4) mschap: Client is using MS-CHAPv1 with NT-Password
(4) mschap: Executing: /usr/bin/curl --netrc-file /etc/freeradius/curl.netrc -s --fail-with-body -X POST -F username='%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' -F challenge='%{%{mschap:Challenge}:-00}' -F response='%{%{mschap:NT-Response}:-00}' http://localhost:8000/app/kompjuter/api/ntlm_auth/:
(4) mschap: EXPAND username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(4) mschap: --> username=nik
(4) mschap: mschap1: 3c
(4) mschap: EXPAND challenge=%{%{mschap:Challenge}:-00}
(4) mschap: --> challenge=3c9bc0d40779cc49
(4) mschap: EXPAND response=%{%{mschap:NT-Response}:-00}
(4) mschap: --> response=6900b6edc749a59be7f610a086eca1807e5c77a69c79934e
(4) mschap: Program returned code (0) and output 'NT_KEY: c1bde530ae5f68e82f20705268976fc0'
(4) mschap: adding MS-CHAPv1 MPPE keys
(4) [mschap] = ok
(4) } # authenticate = ok
Closes #8 (closed)
Edited by Nik | Klampfradler