>On Wed, 2004-02-25 at 08:30, Arthur EBEL wrote: >> I would like to use PEAP / MSCHAP2 / LDAP >> My password is stored in my LDAP directory using Crypt.
>See many many previous discussions in this list on the requirement of >cleartext passwords for MS-CHAP. OK, time for some user education has to happen here. (Feel free to correct me if this is in any way wrong) NT-Hash is a password encryption technology just like crypt is a password encryption technology. If you have a clear text password you can encrypt it and come out with a NT-Hash password, or you could encrypt it and come out with a crypt password. However, once it is in an encrypted form it is impossible to compare two different encryption forms to tell if it is the same password. PEAP / MSCHAPv2 passes the password encrypted with NT-Hash encryption, so it is impossible to compare it against the crypt password stored in LDAP. It is also impossible to decrypt the NT-Hash password back to a clear text password, so the password passed with PEAP / MSCHAPv2 cannot be used in a LDAP bind either. It is possible to use PEAP / MSCHAPv2 with LDAP, however one must store the NT-Hash password in LDAP. I've had the same problem with crypts as my password encryption in LDAP. I ended having to create an extra LDAP attribute for NT-Hash passwords. Whenever a user now goes through a password change, the NT-Hash password attribute will also be populated at the same time the crypt password is changed in LDAP. After you set this up, make sure to define the attribute in the ldap.attrmap for NT-Password and it will work great with PEAP / MSCHAPv2. Chris Wieringa [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
