At the University of Twente (NL) we support both TTLS/PAP and PEAP; for PEAP we use an LDAP backend. The LDAP server has the passwords stored with reversible encryption; our Radius server (Radiator) has the key to decrypt them. Using cleartext passwords in LDAP would also work, but we prefer the added security where the passwords are stored with encryption.
So, it's possible to do PEAP with an LDAP backend with cleartext passwords, or encrypted passwords that can de decrypted by the Radius server. Best regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ----Original Message---- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Lininger Sent: zaterdag 30 augustus 2008 15:59 To: [email protected] Subject: Re: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ? > Frank is right that PEAP requires that the passwords be stored in a > specific format. We tried to use FreeRadius and OpenLDAP with PEAP > but couldn't get it to work because it required that we store the > passwords in the LDAP database in either clear text or NTLM hash. We > store our passwords in a more secure (and not supported by MSCHAPv2) > format so we had to move to EAP-TTLS with PAP. > > Also, if it helps, this site has some setup instructions that you may > find helpful: http://vuksan.com/linux/dot1x/802-1x-LDAP.html > > Ryan. > > > Frank Bulk wrote: >> I'm sure you could use LDAP is you stored your passwords in the >> format >> necessary for MSCHAPv2, but the problem is that with LDAP most often >> the passwords is clear text or some other format. >> >> Frank >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[EMAIL PROTECTED] On Behalf Of John York >> Sent: Tuesday, August 26, 2008 9:27 AM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ? >> >> I've been wanting to do PEAP with an ldap backend, but could never >> find a way to do it. EAP needs authentication traffic that RADIUS >> supports, but ldap doesn't. In fact, TTLS with secureW2 was >> recommended to me as the way to do it--unfortunately, our Cisco ACS >> doesn't support TTLS. We do use PEAP with the built-in Vista client >> and authentication from Cisco ACS to a Windows RADIUS (IAS) backend. >> It works fine (assuming the ADS guys cooperate--don't know why they >> wouldn't, since IAS is easy to >> configure.) If you find a combination that will let you use PEAP and >> an ldap backend, please let me know. >> >> Thanks >> John >> >> John York >> Network Engineer >> Blue Ridge Community College >> Weyers Cave, VA >> >> >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[EMAIL PROTECTED] On Behalf Of Philippe >> Hanset >> Sent: Tuesday, August 26, 2008 10:06 AM >> To: [email protected] >> Subject: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ? >> >> All, >> >> We want to move to EAP-PEAP instead of EAP-TTLS (secure W2), and try >> to use the built-in client in Vista and XP. >> We use RADIATOR for RADIUS and have two identical back end >> directories: >> LDAP and Active Directory. >> >> Considering the hashing issue that MSchapV2 introduces we want to >> authenticate against AD. But our AD admin is giving us a hard time. >> He wants us to join his domain and do NTSM/Kerberos. >> This involes a lot of SAMBA and I'm more of a Tango guy! >> >> Is there a better way with UNIX Based RADIUS (RADIATOR in our case)? >> >> Thank you in advance, >> >> Philippe >> >> ---------------------------------- >> Philippe Hanset >> University of Tennessee, Knoxville >> Office of Information Technology >> Network Services >> 108 James D Hoskins Library >> 1400 Cumberland Ave >> Knoxville, TN 37996 >> Tel: 1-865-9746555 >> ---------------------------------- >> >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
