802.1x with mschap-radius-ldap with ssha-1 passwords

Thibault Le Meur Thibault.LeMeur at supelec.fr
Tue Jul 18 15:19:19 CEST 2006


> I guess the obvious question is why can't the Radius server 
> simply perform a bind attempt to the LDAP server during 
> authentication, as opposed to trying to compare the password 
> received by the authenticator to the ssha-1 password stored in ldap?

Because, in PEAP, the client doesn't send the password in clear text:
* the radius server sends a challenge to the client
* the client replies with a response to the challenge string: this response
is computed from the NTLM hash of the password, the user name, ...

This way the radius server doesn't know the cleartext user's password and
can't bind to the LDAP server.
The radius server can only check that the response to the challenge is
correct by recomputing it with its own version of the NTLM hash of the
password.

See RFC2759: http://tools.ietf.org/html/2759
And http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx


HTH,
Thibault





More information about the Freeradius-Users mailing list