"McNutt, Justin M." wrote:
>
> Again, same idea. MS uses the repository of password-equivalent strings that are
>stored in Active Directory, the NT domain, whatever to compare against the
>authentication string provided in the EAP request.
>
> The problem I have with all of this is the fact that the actual passwords can be
>deduced using the "cleartext equivalent" that MS stores. This is a huge weakness in
>NT/2K-based authentication that I was hoping to get around using FreeRADIUS.
>
> Unfortunately the way EAP-MD5 works with FreeRADIUS is just as bad (or worse) from
>the standpoint of having a file somewhere with all of my users' passwords in them in
>cleartext (or a trivially-decodable) form.
>
> So if I want to use FreeRADIUS and EAP, EAP-TLS is the only option I have left (so
>far).
>
I am not sure about MS but based on your observation,
I think EAP-TLS is your best option.
Here you are talking about 2 different aspects
1. Secure mechanism of storing Passwords locally.
You got to deal this locally.
Partly the same problem applies even for certificates.
2. Secure mechanism of authentication over the network.
CHAP, EAP-MD5 are better but EAP-TLS is the best (IMHO).
--
(( ))
|
|.| HereUAre !!
|_| (( Raghu ))
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
