I think i'm gonna do PEAP + LDAP with MSCHAPv2, and I also have
crypted passwords... so what i'm planning to do is a middle step:
people will have to authenticate via web the first time, in order to check
the password. Then, if its correct the password will be hashed in the air
to NT format. This value will be stored in LDAP in the ntpassword (samba
schema) attribute. The programming will be in Perl ;) , but it won't be very portable,
as it'll be very "locale" adapted.
I've tested it, and freeRadius correctly retrieves the LDAP ntpassword while
authorizing, and authenticate with it PEAP+MSCHAPv2 ok against an XP client...
isn't it fantastic? (freeRadius, i mean) :)
Is my planning usual/correct/anathema ?
bye
authenticateFrom: Martin Pauly <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: PEAP + LDAP with crypted PWs? Date: Wed, 22 Sep 2004 19:35:20 +0200 Reply-To: [EMAIL PROTECTED]
Hi everyone,
We have shortly migrated our user database to OpenLDAP, keeping the
UNIX-crypted passwords. Now I would like to let wireless users
against this LDAP Server. Since we do not have a PKI in place, I havemy previous posts).
set up an auth chain using PEAP/MSCHAPv2 (you might have guessed from
For a first push, I split the chain and tested both LDAP and PEAP withcleartext
49-6421-28-23527 Hans-Meerwein-Str.passwords on the RADIUS side; they both work now.
The big question is, of course, how to deal with the encrypted passwords. Any Challenge-Response protocol such as MSCHAPv2 won't quite cut it, unless you imagine fancy stuff like passing the seed for crypt to the client first who can then in turn do the required hash ... So what might be a feasible Option? TTLS has been a second option only so far, since PEAP is already wired into Windows XP -- which is still what most of our users will be running for some time :-| On the other hand, I haven't seen anything like PEAP-PAP so far, but I have seen there is TTLS-PAP and the like.
Any suggestions? Thanks, Martin
-- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone:
E-Mail: [EMAIL PROTECTED] D-35032 Marburg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
