Hello Mike, MSCHAPv2 is mutual challenge-reponse protocol. Client does not send password in nthash format. Nthashed password is used to calculate response to the challenge.
Because MSCHAPv2 is mutual then both client and server must be able to calculate correct response. That is why server can't just decide that authentication is successful like for example with PAP. I think that it is not possible to get PEAP with MSCHAPv2 working with brypt hashed passwords. Best Regards, Sami On 01/16/2015 07:52 PM, Mike Puchol wrote: > Greetings, > > I'm working on a deployment that should support PEAP with MSCHAPv2, but which > cannot have either plaintext passwords nor NT hashes stored (the latter can > be decrypted in miliseconds on sites such as > http://www.hashkiller.co.uk/ntlm-decrypter.aspx). > > Passwords are stored in BCrypt hash format, so my questions are: > > 1. I could, when signing users up, do plaintext -> nthash -> bcrypt, and then > compare the incoming nthash from the client also passed through bcrypt inside > a hook. I've spent the last two days looking at hook examples, mailing list > posts and the documentation, but I cannot figure out where to put the hook, > or how to get the nthash from the EAP messages. > > 2. A secondary question, derived from #1 above: is there any documentation on > hooks that explains how/what parameters and functions are available for each > hook type? I don't mind looking through code, but I've not found a clear > answer. Example: for PreAuthHook, we're told $_[0] contains a "reference to > the current request"... kind of vague. > > I'm doing AuthBy SQL, no LDAP (found tons of password-related info for LDAP > and its hooks... but not useful). > > Cheers, > > Mike > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator > -- Sami Keski-Kasari <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
