Many peope wish they can use LDAP Password + OTP in RADIUS authentication to enhance their security. MSCHAP(CHAP) is defacto the common protocol used in RADIUS, as PAP is denounced due to its plain text transmission across the Internet. However it is technically impossible for LDAP + OTP over CHAP. Why? you will certainly ask the same question as I did when I first dealt with it. Basically, you can regard CHAP as a hash algorithm like the popular MD5 or SHA1. In mathematics,
HASH(StaticPass + OTP) != HASH(StaticPass) + HASH(OTP)
At VPN client side, you input StaticPass + OTP, at VPN server side, the server receives HASH(StaticPass + OTP). If the server has no plain text of StaticPass, then it is impossible for the server to decide if there is a match. Unfortunately LDAP password is not available as a plain text. According to MS, the password itself is actually a LM hash. As a result, none of any two factor authentiction service providers can support LDAP + OTP over CHAP. If you know any vendors who claim they support this, please let me know.
Here is the summary of Deepnet Radius Authentication. X = supported.
In the situation where StaticPass token doesn't physically exist in Deepent database, LDAP password is used instead.
| MSCHAP2(CHAP) | PAP | |
| StaticPass | ||
| OTP | ||
| StaticPass + OTP | ||
| StaticPass >> OTP |
If a StaticPass token exists, the password can be retrieved in Deepnet.
| MSCHAP2(CHAP) | PAP | |
| StaticPass | ||
| OTP | ||
| StaticPass + OTP | ||
| StaticPass >> OTP |
Note: 1 All OTP tokens except vasco token.
No comments:
Post a Comment