Universal Password is encrypted. It's attribute name is npsmDistributionPassword I believe. As a further protection it is only readable by admin roles.
You'll have to set up freeradius to bind with such a login and get the password and decrypt it. That function has been in freeradius for quite a while. That process will give freeradius (internally) a cleartext password to use for mschapv2. We moved to all M$ products a while back, but used freeradius against eDirectory for a couple of years before we moved to all Windows servers. It was low maintenance and worked well for us. The only issue was the moving auth target that M$ eap clients presented us. That's why we use IAS presently. At least when it breaks it's their fault. Mearl > -----Original Message----- > From: freeradius-users- > bounces+jmdanner=samford....@lists.freeradius.org [mailto:freeradius- > users-bounces+jmdanner=samford....@lists.freeradius.org] On Behalf Of > Jason C Brown > Sent: Thursday, February 05, 2009 10:45 AM > To: FreeRadius users mailing list > Subject: Re: FreeRADIUS without Universal Password > > I had to ask, I have people telling me that this is a limitation of > only FreeRADIUS and not all RADIUS servers in general. There is a > concern that the UP is being stored in clear text in Novell and we > need to turn off that service and only use simple password. Since I > am no Novell admin I really do not have a clue if we can encrypt the > UP that is stored on the server or what other implications there are > in turning off UP. > > Jason Brown - RHCT, Security+, Linux+, Network+ > Systems Administrator > Enterprise Technology Services > Ferris State University > (231) 591-2687 > > On Feb 5, 2009, at 1:48 AM, Alan DeKok wrote: > > > Jason C Brown wrote: > >> Do you by chance know if every RADIUS server acts the same way? For > >> instance would Steel Belted RADIUS require the use of UP as well? > > > > Please read this explanation again: > > > >>> The Novell password is not stored as an attribute unless Universal > >>> password is enabled. It exists in eDirectory, can be created/ > >>> modified by > >>> ldap as userpassword but cannot be returned in an ldap search. > > > > The password can't be seen by *any* RADIUS server until it's stored > > as > > a Universal password. > > > > This is a limitation of Novell's LDAP server, and applies to all > LDAP > > clients, whether they are RADIUS servers, command-line clients, web > > servers, or anything else. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html