Quoting Paul Bender <[EMAIL PROTECTED]>:
For Windows XP, I use PEAP with EAP-MSCHAP-V2. For everyone else, I use EAP-TTLS with PAP. EAP-MSCHAP-V2 authenticates using MS-CHAPv2 and the the NT-Password. PAP authenticates using LDAP bind.
For Windows XP users, I store userPassword (SSHA), sambaLMPassword and sambaNTPassword in LDAP. With the right Samba and nss_ldap/pam_ldap configuration, smbpasswd keeps three password in sync.
So the LMPassword and NTPassword are stored for the PEAP/MS-CHAPv2 authentication?
Yes, the passwords are stored. Only the NT-Password is used for the PEAP/EAP-MSCHAP-V2 authentication. If you use the LDAP schema provided with Samba version 3, then the LM-Password is sambaLMPassword and the NT-Password is sambaNTPassword. If you use this schema, then you will need the adjust the mapping in FreeRADIUS's ldap.attrmap file, because the file is configured to map the attributes from the Samba version 2 LDAP schema.
And the userPassword is used for the LDAP bind by PAP right?
Yes.
Do you know of a windows client that can do PAP/EAP-TTLS?
Yes, there are some Windows clients. There is even one that is free (as in gratis) for personal use: <http://www.securew2.com/uk/downloadbuy/>. However, I have not used any of them. Some of my user's do not have the priviledges on their computers needed to install software. Therefore, a third party client was not an option for me.
Are the LMPassword and NTPasswords strongly encrypted?
They are hashed, similar to the non-cleartext userPassword. As with any hashed password, they are subject to dictionary attacks. Therefore, you should restrict access to them. For example, before FreeRADIUS can reed the sambaNTPassword, I require FreeRADIUS to connect to the LDAP server using STARTTLS and to bind to the LDAP server using a strong password. In fact, for each user, only Samba, FreeRADIUS and the user have access to the user's sambaNTPassword.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
