Support NTLMv1 authentication for RADIUS (MSCHAP) (!8) · Merge requests · AlekSIS® / Onboarding / AlekSIS-App-Kompjuter

Nik | Klampfradler requested to merge 8-manage-windows-ntlm-profiles into master Oct 16, 2022

This merge request implements an API endpoint to do NTLM authentication, as used in the MS-CHAP protocol family.

Specifically, it adds:

A data model to store an NTLM hash of the user's password
A preference to automatically keep the NTLM hash updated through password changes
An API endpoint taking the inputs for NTLMv1 challenge-response authentication and returning an NTLM user session key
- The endpoint also accepts a plain password, to verify authentication when using PAP

In essence, this means we can now back FreeRADIUS for PEAP+MSCHAPv2 authentication to do WPA Enterprise (802.1x) on Wifi access points, by simply replacing FreeRADIUS' ntlm_auth script that normally talks to Samba or Microsoft Active Directory with a simple curl command.

Practically, this means we can now support Windows and iOS devices in WPA-Enterprise wifi networks without resorting to Active Directory or even Samba.

root@frifot:/etc/freeradius/3.0# grep curl mods-enabled/mschap
	ntlm_auth = "/usr/bin/curl --netrc-file /etc/freeradius/curl.netrc -s --fail-with-body -X POST -F username='%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' -F challenge='%{%{mschap:Challenge}:-00}' -F response='%{%{mschap:NT-Response}:-00}' http://localhost:8000/app/kompjuter/api/ntlm_auth/"

Et voila:

❯ radtest -t mschap nik Pinguin123 localhost:18120 0 testing123
Sent Access-Request Id 56 from 0.0.0.0:60168 to 127.0.0.1:18120 length 129
	User-Name = "nik"
	MS-CHAP-Password = "Pinguin123"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "Pinguin123"
	MS-CHAP-Challenge = 0x3c9bc0d40779cc49
	MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000006900b6edc749a59be7f610a086eca1807e5c77a69c79934e
Received Access-Accept Id 56 from 127.0.0.1:18120 to 127.0.0.1:60168 length 84
	MS-CHAP-MPPE-Keys = 0x0000000000000000c1bde530ae5f68e82f20705268976fc0
	MS-MPPE-Encryption-Policy = Encryption-Allowed
	MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

with FreeRADIUS talking directly to AlekSIS' API:

(4)   authenticate {
(4) mschap: Client is using MS-CHAPv1 with NT-Password
(4) mschap: Executing: /usr/bin/curl --netrc-file /etc/freeradius/curl.netrc -s --fail-with-body -X POST -F username='%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' -F challenge='%{%{mschap:Challenge}:-00}' -F response='%{%{mschap:NT-Response}:-00}' http://localhost:8000/app/kompjuter/api/ntlm_auth/:
(4) mschap: EXPAND username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(4) mschap:    --> username=nik
(4) mschap: mschap1: 3c
(4) mschap: EXPAND challenge=%{%{mschap:Challenge}:-00}
(4) mschap:    --> challenge=3c9bc0d40779cc49
(4) mschap: EXPAND response=%{%{mschap:NT-Response}:-00}
(4) mschap:    --> response=6900b6edc749a59be7f610a086eca1807e5c77a69c79934e
(4) mschap: Program returned code (0) and output 'NT_KEY: c1bde530ae5f68e82f20705268976fc0'
(4) mschap: adding MS-CHAPv1 MPPE keys
(4)     [mschap] = ok
(4)   } # authenticate = ok

Closes #8 (closed)

Edited Oct 17, 2022 by Nik | Klampfradler

Support NTLMv1 authentication for RADIUS (MSCHAP)

Merge request reports