10-03-2017 11:05 PM
hi all
i am using mysql db as external identity source on ise 2.3. and i have create store procedures on mysq for PAP, PEAP(mschapv1/2), groups attribute etc. and no problem with stored cleartext password on mysql db.
but i have problem with PEAP auth. when verify stored md5 hash password on mysql.
test1 user auth. successed when i add MD5 field the following store procedure (ISEAuthUserPlainReturnsRecordset) for basic auth. with PAP.
but i need the PEAP(mschapv1/2) Auth. for clients and PEAP auth. not working when password stored as MD5 hash.
How do I change the procedure for peap to use the second procedure and verify the hash password?
example ;
mysql> select * from users;
+---------+---------------+--------------------------------------------------------+
| user_id | username | password |
+---------+--------------+---------------------------------------------------------+
| 1 | murat | password |
| 4 | test1 | 2ac9cb7dc02b3c0083eb70898e549b63 |
+---------+--------------+----------------------------------------------------------+
sql procedure for PAP
--------------------------------------
DELIMITER //
CREATE DEFINER=`root`@`localhost` PROCEDURE `ISEAuthUserPlainReturnsRecordset`(username varchar(64), password varchar(255))
begin
IF EXISTS (select * from users where users.username = username and users.password = MD5(password)) THEN
select 0,11,'This is a very good user, give him all access','no error';
ELSE
select 3, 0, 'odbc','ODBC Authen Error';
END IF;
end //
sql procedure for PEAP,MsCHAPv1/2
----------------------------------------------------
DELIMITER //
CREATE DEFINER=`root`@`localhost` PROCEDURE `ISEFetchPasswordReturnsRecordset1`(username varchar(64))
begin
IF EXISTS (select * from users where users.username = username ) THEN
select 0,11,'This is a very good user, give him all access','no error', password from users where users.username = username;
ELSE
select 3, 0, 'odbc','ODBC Authen Error';
END IF;
end //
do you have any experience ?
thanks
Solved! Go to Solution.
10-03-2017 11:27 PM
This is due to the inner method MS-CHAPv2. For MS-CHAPv2 authentications, ISE needs the plain-text passwords returned from a non-Active-Directory identity store in order to calculate the password hashes to decrypt the packets from the clients.
Academic: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) - Schneier on Security, for example, explains how MS-CHAPv2 works.
As a result, it won't work when you are returning the MD5 hash of the password.
10-03-2017 11:27 PM
This is due to the inner method MS-CHAPv2. For MS-CHAPv2 authentications, ISE needs the plain-text passwords returned from a non-Active-Directory identity store in order to calculate the password hashes to decrypt the packets from the clients.
Academic: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) - Schneier on Security, for example, explains how MS-CHAPv2 works.
As a result, it won't work when you are returning the MD5 hash of the password.
10-03-2017 11:55 PM
This document describes how to configure Identity Services Engine (ISE) with PostgreSQL Server for ISE authentication using Open Database Connectivity (ODBC).
Note: Open Database Connectivity (ODBC) authentication requires ISE to be able to fetch a plain text user password. The password can be encrypted in the database, but has to be decrypted by the stored procedure
Thanks hslai
i took this article from cisco.com as i send you link. i think it is possible to do this by store procedure even password encrypted in the database.
10-04-2017 12:04 AM
... The password can be encrypted in the database, but has to be decrypted by the stored procedure
That is correct and not in contradiction to the fact that the stored procedure needs returning the passwords in plain-text for MS-CHAPv2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide