Mike,
This helps a lot. It looks like EAP-TTLS/PAP is the direction I should
take with my investigation. Up till now I have been looking at EAP
types (EAP-TTL, PEAPv0, PEAPv2, etc.) and not getting the full story. I
will now turn my attention to the inner protocols PAP and CHAPv2.
Thanks,
Ryan Lininger
Network Systems Engineer
Denison University
p 740.587.6229
f 740.587.5722
[EMAIL PROTECTED]
Michael Griego wrote:
It all depends on what hashing algorithm you're using to store your
passwords. Cleartext is, obviously, the simplest to get working.
Beyond that, its simply a matter of having hashes that are
*compatible* with what form of authentication you are using. In other
words, does the authentication method you're using pass the password
or some hashed value? PAP is a cleartext password protocol, so it can
usually work with any hashing algorithm, because the server is
receiving the user's *actual* password. MSCHAPv2, for instance, is a
different story. The authentication server is not receiving the
user's password in this case, rather a hash created by performing some
transformation on the password before sending it. Therefore, you
either have to have access to the user's cleartext password to be able
to perform the same transformation or a hash that is compatible with
what is received (an NTLM hash in this case).
This is one of the reasons that EAP-TTLS/PAP is as popular as it is
with many institutions... It's compatible with pretty much any
*existing* password storage mechanism.
--Mike
On Jul 6, 2007, at 9:37 AM, Ryan Lininger wrote:
I could use some help understanding the password storage situation as
it relates to LDAP, radius, and 802.1x. Currently we store hashes of
passwords in an LDAP database that is used for user authentication.
I would like to implement WPA on our wireless network but in my
reading all the explanations I have come across state that you have
to store user passwords in clear text rather then hash form.
Is it possible to implement 802.1x without storing passwords in clear
text? Will future standards have this ability or are we stuck
storing passwords in clear text?
Any replies would be appreciated.
Thanks,
--Ryan Lininger
Network Systems Engineer
Denison University
p 740.587.6229
f 740.587.5722
[EMAIL PROTECTED]
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
