Re: [WIRELESS-LAN] 802.1x and Secure Password Storage

Fri, 06 Jul 2007 07:45:50 -0700

It all depends on what hashing algorithm you're using to store your passwords. Cleartext is, obviously, the simplest to get working. Beyond that, its simply a matter of having hashes that are *compatible* with what form of authentication you are using. In other words, does the authentication method you're using pass the password or some hashed value? PAP is a cleartext password protocol, so it can usually work with any hashing algorithm, because the server is receiving the user's *actual* password. MSCHAPv2, for instance, is a different story. The authentication server is not receiving the user's password in this case, rather a hash created by performing some transformation on the password before sending it. Therefore, you either have to have access to the user's cleartext password to be able to perform the same transformation or a hash that is compatible with what is received (an NTLM hash in this case).
This is one of the reasons that EAP-TTLS/PAP is as popular as it is with many institutions... It's compatible with pretty much any *existing* password storage mechanism. 

--Mike


On Jul 6, 2007, at 9:37 AM, Ryan Lininger wrote:


I could use some help understanding the password storage situation  
as it relates to LDAP, radius, and 802.1x.  Currently we store  
hashes of passwords in an LDAP database that is used for user  
authentication.  I would like to implement WPA on our wireless  
network but in my reading all the explanations I have come across  
state that you have to store user passwords in clear text rather  
then hash form.



Is it possible to implement 802.1x without storing passwords in  
clear text?  Will future standards have this ability or are we  
stuck storing passwords in clear text?


Any replies would be appreciated.

Thanks,

--
Ryan Lininger
Network Systems Engineer
Denison University
p 740.587.6229
f 740.587.5722
[EMAIL PROTECTED]

**********

Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.






















					Reply via email to