Quoting Alan DeKok <[EMAIL PROTECTED]>:
"Grant, Alastair Ian" <[EMAIL PROTECTED]> wrote:
We are using PEAP with MS-CHAPv2 and LDAP and a Win2000 supplicant for testing. Do I need to use the NT-Password attribute?
Yes.
I guess my big question is do the encrypted passwords in the LDAP directory make authenticating impossible?
For PEAP, yes.
Do they need to be clear-text with the setup we have?
Or, NT-Passwords.
What are people out there with encrypted LDAP passwords (say SSHA) doing for radius authentication then? What type of authentication is being done and what supplicant is being used? I'd like to know what my options are. Thanks!
For Windows XP, I use PEAP with EAP-MSCHAP-V2. For everyone else, I use EAP-TTLS with PAP. EAP-MSCHAP-V2 authenticates using MS-CHAPv2 and the the NT-Password. PAP authenticates using LDAP bind.
For Windows XP users, I store userPassword (SSHA), sambaLMPassword and sambaNTPassword in LDAP. With the right Samba and nss_ldap/pam_ldap configuration, smbpasswd keeps three password in sync.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
