D-Link DFL-260 Product Manual - Page 365
Normal LDAP Authentication, B. PPP Authentication with CHAP
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 365 highlights
8.2.4. External LDAP Servers Chapter 8. User Authentication Figure 8.1. Normal LDAP Authentication The processing is different if a group membership is being retrieved since a request is sent to the LDAP server to search for memberships and any group memberships are then sent back in the response. B. PPP Authentication with CHAP, MS-CHAPv1 or MS-CHAPv2 Encryption If PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 is used for authentication, a digest of the user's password will be sent to NetDefendOS by the client. NetDefendOS cannot just forward this digest to the LDAP server since this won't be understood. The solution is for NetDefendOS to obtain the password in plain-text from the LDAP server, create a digest itself, and then compare the created digest with the digest from the client. If the two are the same, authentication is successful but it is NetDefendOS that makes the authentication decision and not the LDAP server. To retrieve the password from the LDAP server, two things are needed: • The Password Attribute parameter needs to be specified when defining the server to NetDefendOS. This will be the ID of the field on the LDAP server that will contain the password when it's sent back. This ID must be different from the default password attribute (which is usually userPassword for most LDAP servers). A suggestion is to use the description field in the LDAP database. • In order for the server to return the password in the database field with the ID specified, the LDAP administrator must make sure that the plain text password is found there. LDAP servers store passwords in encrypted digest form and do not provide automatic mechanisms for doing this. It must therefore be done manually by the administrator as they add new users and change existing users passwords. This clearly involves some effort from the administrator, as well as leaving passwords dangerously exposed in plain text form on the LDAP server. These are some of the reasons why LDAP may not be viewed as a viable authentication solution for CHAP, MS-CHAPv1 or MS-CHAPv2 encrypted PPP. When NetDefendOS receives the password digest from the client, it initiates a Search Request to the LDAP server. The server replies with a Search Response which will contains the user's password and any group memberships. NetDefendOS is then able to compare digests. The diagram below illustrates this process. 365