Solved: ise 2.3 mysql integration with stored md5 user passwd?

murat001 · ‎10-03-2017

hi all

i am using mysql db as external identity source on ise 2.3. and i have create store procedures on mysq for PAP, PEAP(mschapv1/2), groups attribute etc. and no problem with stored cleartext password on mysql db.

but i have problem with PEAP auth. when verify stored md5 hash password on mysql.

test1 user auth. successed when i add MD5 field the following store procedure (ISEAuthUserPlainReturnsRecordset) for basic auth. with PAP.

but i need the PEAP(mschapv1/2) Auth. for clients and PEAP auth. not working when password stored as MD5 hash.

How do I change the procedure for peap to use the second procedure and verify the hash password?

example ;

mysql> select * from users;

+---------+---------------+--------------------------------------------------------+

| user_id | username | password |

+---------+--------------+---------------------------------------------------------+

| 1 | murat | password |

| 4 | test1 | 2ac9cb7dc02b3c0083eb70898e549b63 |

+---------+--------------+----------------------------------------------------------+

sql procedure for PAP

--------------------------------------

DELIMITER //

CREATE DEFINER=`root`@`localhost` PROCEDURE `ISEAuthUserPlainReturnsRecordset`(username varchar(64), password varchar(255))

begin

IF EXISTS (select * from users where users.username = username and users.password = MD5(password)) THEN

select 0,11,'This is a very good user, give him all access','no error';

ELSE

select 3, 0, 'odbc','ODBC Authen Error';

END IF;

end //

sql procedure for PEAP,MsCHAPv1/2

----------------------------------------------------

DELIMITER //

CREATE DEFINER=`root`@`localhost` PROCEDURE `ISEFetchPasswordReturnsRecordset1`(username varchar(64))

begin

IF EXISTS (select * from users where users.username = username ) THEN

select 0,11,'This is a very good user, give him all access','no error', password from users where users.username = username;

ELSE

select 3, 0, 'odbc','ODBC Authen Error';

END IF;

end //

do you have any experience ?

thanks

hslai · ‎10-03-2017

This is due to the inner method MS-CHAPv2. For MS-CHAPv2 authentications, ISE needs the plain-text passwords returned from a non-Active-Directory identity store in order to calculate the password hashes to decrypt the packets from the clients.

Academic: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) - Schneier on Security, for example, explains how MS-CHAPv2 works.

As a result, it won't work when you are returning the MD5 hash of the password.

View solution in original post

hslai · ‎10-03-2017

This is due to the inner method MS-CHAPv2. For MS-CHAPv2 authentications, ISE needs the plain-text passwords returned from a non-Active-Directory identity store in order to calculate the password hashes to decrypt the packets from the clients.

Academic: Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) - Schneier on Security, for example, explains how MS-CHAPv2 works.

As a result, it won't work when you are returning the MD5 hash of the password.

murat001 · ‎10-03-2017

Introduction

This document describes how to configure Identity Services Engine (ISE) with PostgreSQL Server for ISE authentication using Open Database Connectivity (ODBC).

Note: Open Database Connectivity (ODBC) authentication requires ISE to be able to fetch a plain text user password. The password can be encrypted in the database, but has to be decrypted by the stored procedure

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200644-Configure-ODBC-on-ISE-2-1-with-PostgreSQ.html

Thanks hslai

i took this article from cisco.com as i send you link. i think it is possible to do this by store procedure even password encrypted in the database.

hslai · ‎10-04-2017

... The password can be encrypted in the database, but has to be decrypted by the stored procedure

That is correct and not in contradiction to the fact that the stored procedure needs returning the passwords in plain-text for MS-CHAPv2.