Re: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ?

[Michael Griego]

At UTD, in order to support MSCHAPv2 for Windows supplicants, we went  
ahead and added a secondary attribute to hold the NTLM hash and  
restricted access to that attribute to an LDAP DN that the RADIUS  
servers authenticated with.  Going this route works well, except you  
have to plan ahead a little, because you'll need time to populate the  
new attribute.  We handled this by adding code into our account  
management system about six months ahead of our 802.1x rollout to  
begin populating the attribute during password changes.  Since the  
password policy forced password changes periodically, that picked up  
most of the users before the 802.1x rollout.  The rest of the users  
were simply instructed to reset their passwords to force population of  
the new attribute.

--Mike
If you have a cleartext password in LDAP, you don't need to do  
anything, though, as most RADIUS servers can create the NTLM has from  
it on the fly.

On Aug 30, 2008, at 8:59 AM, Ryan Lininger wrote:

Frank is right that PEAP requires that the passwords be stored in a  
specific format.  We tried to use FreeRadius and OpenLDAP with PEAP  
but couldn't get it to work because it required that we store the  
passwords in the LDAP database in either clear text or NTLM hash.   
We store our passwords in a more secure (and not supported by  
MSCHAPv2) format so we had to move to EAP-TTLS with PAP.

Also, if it helps, this site has some setup instructions that you  
may find helpful:  http://vuksan.com/linux/dot1x/802-1x-LDAP.html

Ryan.


Frank Bulk wrote:
I'm sure you could use LDAP is you stored your passwords in the  
format
necessary for MSCHAPv2, but the problem is that with LDAP most  
often the
passwords is clear text or some other format.

Frank

-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of John York
Sent: Tuesday, August 26, 2008 9:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ?

I've been wanting to do PEAP with an ldap backend, but could never  
find
a way to do it.  EAP needs authentication traffic that RADIUS  
supports,
but ldap doesn't.  In fact, TTLS with secureW2 was recommended to  
me as
the way to do it--unfortunately, our Cisco ACS doesn't support  
TTLS.  We
do use PEAP with the built-in Vista client and authentication from  
Cisco
ACS to a Windows RADIUS (IAS) backend. It works fine (assuming the  
ADS
guys cooperate--don't know why they wouldn't, since IAS is easy to
configure.)  If you find a combination that will let you use PEAP  
and an
ldap backend, please let me know.

Thanks
John

John York
Network Engineer
Blue Ridge Community College
Weyers Cave, VA



-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Philippe  
Hanset
Sent: Tuesday, August 26, 2008 10:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ?

All,

We want to move to EAP-PEAP instead of EAP-TTLS (secure W2),
and try to use the built-in client in Vista and XP.
We use RADIATOR for RADIUS and have two identical back end  
directories:
LDAP and Active Directory.

Considering the hashing issue that MSchapV2 introduces we want to
authenticate against AD. But our AD admin is giving us a hard time.
He wants us to join his domain and do NTSM/Kerberos.
This involes a lot of SAMBA and I'm more of a Tango guy!

Is there a better way with UNIX Based RADIUS (RADIATOR in our case)?

Thank you in advance,

Philippe

----------------------------------
Philippe Hanset
University of Tennessee, Knoxville
Office of Information Technology
Network Services
108 James D Hoskins Library
1400 Cumberland Ave
Knoxville, TN 37996
Tel: 1-865-9746555
----------------------------------

**********
Participation and subscription information for this EDUCAUSE  
Constituent
Group discussion list can be found at http://www.educause.edu/ 
groups/.

**********
Participation and subscription information for this EDUCAUSE  
Constituent
Group discussion list can be found at http://www.educause.edu/ 
groups/.

**********
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http://www.educause.edu/groups/ 
.


**********
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http://www.educause.edu/groups/ 
.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.