Figure 8.1. Normal LDAP Authentication
The processing is different if a group membership is being retrieved since a request is sent to the
LDAP server to search for memberships and any group memberships are then sent back in the
response.
B. PPP Authentication with CHAP, MS-CHAPv1 or MS-CHAPv2 Encryption
If PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 is used for authentication, a digest of the user's
password will be sent to NetDefendOS by the client. NetDefendOS cannot just forward this
digest to the LDAP server since this will not be understood. The solution is for NetDefendOS to
obtain the password in plain-text from the LDAP server, create a digest itself, and then compare
the created digest with the digest from the client. If the two are the same, authentication is
successful but it is NetDefendOS that makes the authentication decision and not the LDAP
server.
To retrieve the password from the LDAP server, two things are needed:
•
The
Password Attribute
parameter needs to be specified when defining the server to
NetDefendOS. This will be the ID of the field on the LDAP server that will contain the
password when it is sent back.
This ID must be different from the default password attribute (which is usually
userPassword
for most LDAP servers). A suggestion is to use the
description
field in the LDAP database.
•
In order for the server to return the password in the database field with the ID specified, the
LDAP administrator must make sure that the plain text password is found there. LDAP servers
store passwords in encrypted digest form and do not provide automatic mechanisms for
doing this. It must therefore be done manually by the administrator as they add new users
and change existing users passwords.
This clearly involves some effort from the administrator, as well as leaving passwords
dangerously exposed in plain text form on the LDAP server. These are some of the reasons
why LDAP may not be viewed as a viable authentication solution for CHAP, MS-CHAPv1 or
MS-CHAPv2 encrypted PPP.
When NetDefendOS receives the password digest from the client, it initiates a
Search Request
to
the LDAP server. The server replies with a
Search Response
which will contains the user's
password and any group memberships. NetDefendOS is then able to compare digests. The
diagram below illustrates this process.
Chapter 8: User Authentication
623
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...