Hi Louis
Hope you are well...
Been looking little deeper at EAP-PEAP and not sure if its 100% secure,
there are many articles out there that describe its faults where password
hashes (MS-CHAPv2) can be cracked by an attacker setting up fake AP
pointing to rouge RADIUS server...
Would be great to get your thoughts on this, I am now thinking of going
with EAP-TLS..
I know in EAP-PEAP the RADIUS server encrypts the connection using its
certs and provides this to the server however, users being users will
accept any old cert
On 13 November 2015 at 17:06, Louis Munro <[email protected]> wrote:
>
>
> On Nov 13, 2015, at 10:50 , Mohamed Hamid <
> [email protected]> wrote:
>
> Hi Louis
>
> Many thanks for your kind reply..
>
> To clarify
>
> I do not store any password hashes in OpenLDAP, all hashes are kept in
> kerberos. I use SASL to bridge incoming user auth requests between OpenLDAP
> and Kerberos.
>
> So openLDAP does not see any hashes..
>
> Can user based authentication still be achieved here?
>
>
>
> Without the hashes you cannot authenticate using PEAP.
> That is not a limitation of PacketFence but of the PEAP protocol itself.
>
> What you could try is setting up a captive-portal that authenticates users
> against your LDAP directory and then use provisioning to configure EAP-TLS
> authentication with your own Certification Authority.
> It’s hard to recommend something for sure not knowing the details of your
> existing configuration.
> You may have to play around with PacketFence a bit to find what works best
> for you.
>
> Your real difficulty will be that devices (especially windows) often don’t
> support anything apart from PEAP and EAP-TLS with PKI.
> Those are the two protocols that work the best, but without hashes you
> cannot use PEAP and EAP-TLS will require that you distribute the CA and
> client certificates as well as configure the supplicants to use them.
>
> Keep us informed. Those look like interesting problems to have (which is I
> believe, an old chinese curse).
>
> Regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
