> On Tue, Apr 02, 2002 at 04:43:43PM -0600, McNutt, Justin M. wrote: > > Okay, so the way that Microsoft's RADIUS server gets away > with this is due to the fact that in a Microsoft domain, user > names and passwords are not stored using strong (one-way) > encryption. You can decrypt the password file. > > > > No. Microsoft stores a cleartext equivalent of the password.
In terms of being able to get the cleartext password itself, this is the same thing. While unix stores a one-way encrypted version of your password, Microsoft stores a hash that can be trivially defeated. > > So when an EAP request comes in to an MS RADIUS server, MS > decrypts your password, then encrypts it again using EAP-MD5, > which it can then check against the string that came from the NAS. > > No, it hashes the cleartext equivalant the same way the client does. > It then compares the two hashes. Again, same idea. MS uses the repository of password-equivalent strings that are stored in Active Directory, the NT domain, whatever to compare against the authentication string provided in the EAP request. The problem I have with all of this is the fact that the actual passwords can be deduced using the "cleartext equivalent" that MS stores. This is a huge weakness in NT/2K-based authentication that I was hoping to get around using FreeRADIUS. Unfortunately the way EAP-MD5 works with FreeRADIUS is just as bad (or worse) from the standpoint of having a file somewhere with all of my users' passwords in them in cleartext (or a trivially-decodable) form. So if I want to use FreeRADIUS and EAP, EAP-TLS is the only option I have left (so far). --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
