Password comparison

Introduction

The password comparison feature is to authenticate users against a hashed password that is stored in an optional attribute, rather than the standard password attribute, in the user repository. This feature is specifically designed to work with Microsoft Active Directory user repository. The field containing the hashed password can be any one of the user attributes in Active Directory, and it is specified from Mideye Server. This attribute must contain the (case sensitive) hashed password, Base64 encoded as shown below:

{HASH_TYPE}hashed_Password_Base64_Encoded.

An account with appropriate permissions for accessing Active Directory in order to retrieve user information (including the field containing the hashed password) is needed.

Note: When Password Comparison is used, Activate LDAP user locking feature will be enabled automatically and it is impossible to disable it. The reason is to prevent brute force attacks by locking the user in Mideye Server after a certain number of failed login attempts for a specified time. Max failed user attempts indicate the number of failed login attempts after which the user will be locked and Number of minutes locked the duration for which the user will remain locked.

Supported Password Hashes

The supported password hashes are: 

SHA: SHA-1 hash algorithm 

SSHA: Salted SHA

CRYPT: Unix crypt function

MD5: MD5 hash algorithm

SMD5: Salted MD5 algorithm

In order to produce valid password hashes, the plain text password must be UTF-8 encoded, and the hash must be Base 64 encoded, as explained in the following example.

Hashing Process

The hashing process is as follow:

• Encode the UTF-8 plain text password to a byte array

• Hash the byte array using one of the supported hash algorithms

• Encode the hash to Base 64 format

• Prepend the hash algorithm name placed between curly brackets to the result

For example, possible hashes of the password “password” are:

• {SSHA}VtpoxGYLenxwGC88loHYDwb1SpqBbOb6c1OyZiyAQcgFYPPnqRFviA== 

• {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

• {CRYPT}aajfMKNH1hTm2

• {MD5}X03MO1qnZdYdgyfeuILPmQ==

• {SMD5}swXK27O85U86pZxk/sAN6nNhbHQ=

Note: The encoding used to produce the password hash and the one used by the RADIUS client must be the same. The same string encoded with different encodings may produce different byte arrays, resulting in different final hashes. So even if the password string is the same different encoding will prevent the correct validation.

Note: The strings stored for the password comparison in the repository are case sensitive, for example, {CRYPT}aajfMKNH1hTm2 will work but not {crypt}aajfMKNH1hTm2.

Usage Example

Prerequisite: Mideye Server is configured to have an LDAP server working, so it is possible to perform a User Search from the LDAP Server Configuration dialog.

To enable password comparison, in the LDAP Server Configuration dialog, select the Authentication tab. Use the Password Override field to specify the desired user attribute in Active Directory for the hashed password storage. In this example, the user attribute physicalDeliveryOfficeName is specified to store the hashed password. 

Provide that all the other configurations such as authentication type, mobile number and/or token number are correct, after saving and restarting Mideye Server it is possible to perform a RADIUS authentication against the hashed password present in the specified field for the configured LDAP server.