beautypg.com

Ldap for ppp with chap, ms-chapv1 or ms-chapv2 – Amer Networks E5Web GUI User Manual

Page 534

background image

B. PPP Authentication with CHAP, MS-CHAPv1 or MS-CHAPv2 Encryption

If PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 is used for authentication, a digest of the user's
password will be sent to cOS Core by the client. cOS Core cannot just forward this digest to the
LDAP server since this won't be understood. The solution is for cOS Core to obtain the password
in plain-text from the LDAP server, create a digest itself, and then compare the created digest
with the digest from the client. If the two are the same, authentication is successful but it is cOS
Core that makes the authentication decision and not the LDAP server.

To retrieve the password from the LDAP server, two things are needed:

The Password Attribute parameter needs to be specified when defining the server to cOS
Core. This will be the ID of the field on the LDAP server that will contain the password when it
is sent back.

This ID must be different from the default password attribute (which is usually userPassword
for most LDAP servers). A suggestion is to use the description field in the LDAP database.

In order for the server to return the password in the database field with the ID specified, the
LDAP administrator must make sure that the plain text password is found there. LDAP servers
store passwords in encrypted digest form and do not provide automatic mechanisms for
doing this. It must therefore be done manually by the administrator as they add new users
and change existing users passwords.

This clearly involves some effort from the administrator, as well as leaving passwords
dangerously exposed in plain text form on the LDAP server. These are some of the reasons
why LDAP may not be viewed as a viable authentication solution for CHAP, MS-CHAPv1 or
MS-CHAPv2 encrypted PPP.

When cOS Core receives the password digest from the client, it initiates a Search Request to the
LDAP server. The server replies with a Search Response which will contains the user's password
and any group memberships. cOS Core is then able to compare digests. The diagram below
illustrates this process.

Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2

Important: The link to the LDAP server must be protected

Since the LDAP server is sending back passwords in plain text to cOS Core, the link

Chapter 8: User Authentication

534

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: