Robert WAKIM wrote:
Thanks for the answer. It works if I store the passwords in clear text in the ldap database. What method should I use to store the passwords in md5?
I don't think you use any challenge-response mechanisms with the passwords MD5 "crypt"ed.
Some MD5-based challenge-response methods (such as Digest-MD5) can work if you store the derived HA1 value, which is different than the /etc/passwd-style MD5 "crypt" one-way. I would have to look at the EAP-MD5 mechanism RFC to see if that were true, but in any case when I glanced at the 1.0.5 sourcecode of rlm_eap_md5, *it* wasn't written to be able to make use of the HA1 as far as I could tell.
If you store the ntPassword you can extract that into the NT-Password radius attribute and use MS-CHAP. Or, depending on what 802.1x supplicant you're using, you could use TTLS and PAP inner mechanism, and you can check PAP against any store/crypt.
Note both the HA1 and NT hashes are plaintext-equivalent i.e. if you steal them it's just as good as having the password, so the security benefits of storing such a crypt rather than the plaintext are somewhat questionable IMHO. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
