Matt Ashfield wrote: > I'm pouring through the alphabet soup of all of this and have a few > questions that keep popping up. > > During a pap conversation, the radius server ends up with the > username/password passed to it from the client. It then encrypts the > password to match the encryption of the stored password in ldap (or other > directory) and tries a bind. Correct?
Yes > > During a PEAP conversation, the radius server also would end-up with a > username/password received from the client (either via clear-text or via the > mschap conversation). Why can it not then encrypt the password just like PAP > did? Does it do the comparison to LDAP stored passwords via MSCHAP as well? No, miles off. During a PEAP/MS-CHAP conversation, the server ends up with: challenge == random bytes response == HASH(challenge, HASH(password)) If the server has any of: * the plaintext password * HASH(password) i.e. the NT or LM hashes * access to a domain controller which has the NT/LM hashes ...it can check the challenge and response match and that the client is who they say they are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
