Steffen Langhammer wrote: > Its a bad system and solution in this case. The only problem is the failure to understand limitations.
I didn't say "FreeRADIUS couldn't do it". I said "it's impossible". > Because a cleartext-match isn't the same as a ldap-bind. That isn't news. > I was checking Cisco ACS and there an option handles different LDAP > Sources with encrypted fields. For Access-Requests that contain CLEAR TEXT PASSWORDS. It does NOT DO THIS for Access-Requests that contain PEAP. FreeRADIUS can authenticate Access-Requests against crypt'd passwords in LDAP, when the Access-Requests contain a User-Password attribute. Why? Because the table I pointed you to shows that it's POSSIBLE. The red entries in the table show what is IMPOSSIBLE. The text on that page explains in great detail what your options are if you want to do the impossible. Now stop arguing. If you think that ACS can do PEAP authentication using crypt'd passwords in LDAP, then go buy ACS. Maybe their support department will convince you that it's impossible. If they don't, they won't care, because you'll have paid $5K for a piece of software that doesn't solve your problem. You'll then have to do *ANYWAYS* what I'm telling you: change your requirements. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
