Quoting Paul Bender <[EMAIL PROTECTED]>: > Grant, Alastair Ian wrote: > > Quoting Alan DeKok <[EMAIL PROTECTED]>: > > > > > >>"Grant, Alastair Ian" <[EMAIL PROTECTED]> wrote: > >> > >>>We are using PEAP with MS-CHAPv2 and LDAP and a Win2000 supplicant > >>>for testing. Do I need to use the NT-Password attribute? > >> > >> Yes. > >> > >> > >>>I guess my big question is do the encrypted passwords in the LDAP > >>>directory make authenticating impossible? > >> > >> For PEAP, yes. > >> > >> > >>>Do they need to be clear-text with the setup we have? > >> > >> Or, NT-Passwords. > > > > > > What are people out there with encrypted LDAP passwords (say SSHA) doing for > radius > > authentication then? What type of authentication is being done and what supplicant > is > > being used? I'd like to know what my options are. Thanks! > > For Windows XP, I use PEAP with EAP-MSCHAP-V2. For everyone else, I use > EAP-TTLS with PAP. EAP-MSCHAP-V2 authenticates using MS-CHAPv2 and the > the NT-Password. PAP authenticates using LDAP bind. > > For Windows XP users, I store userPassword (SSHA), sambaLMPassword and > sambaNTPassword in LDAP. With the right Samba and nss_ldap/pam_ldap > configuration, smbpasswd keeps three password in sync. >
So the LMPassword and NTPassword are stored for the PEAP/MS-CHAPv2 authentication? And the userPassword is used for the LDAP bind by PAP right? Do you know of a windows client that can do PAP/EAP-TTLS? Are the LMPassword and NTPasswords strongly encrypted? Thanks! -Al - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
