Definitive Word on FreeRadius/LDAP/EAP Requirements

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Fri Jun 26 16:36:20 CEST 2009


On 26/6/09 15:19, Aaron Mahler wrote:
>
> On Jun 26, 2009, at 10:00 AM, Arran Cudbard-Bell wrote:
>
>>
>>>
>>> - Some have said EAP and LDAP can't be combined because LDAP requires
>>> plain text passwords here and EAP doesn't play ball in that manner
>>
>> What EAP method are you using... The different EAP methods have
>> different requirements.
>>
>>
>
>
> Well, again, I'm trying to work from a default Freeradius installation.
> I'd be happy to revert back to a fresh Freeradius install and step
> through this all again in a systematic manner. I just remain uncertain
> on the overall viability of LDAP/EAP in this context due to so many
> contradictory references I've seen about where clear-text needs to exist
> or not exist in the relationship.

They're not contradictory. You know EAP is only a framework right? There are many different EAP Types which run within it. The different EAP Types require the users credentials to be stored in 
different forms.

You appear to be using PEAPv0.

With PEAPv0 and a standard LDAP directory you have three options:
	1) Store the users Password in Clear-Text
	2) Store the users password as an NT4-Password/LM Hash. For NT4 (the more secure one) it's an MD4 hash of a 16bit unicode encoding of the users password.
	3) Choose another EAP method.

I suggest you install SecureW2 on your clients (assuming they're windows) and use TTLS-PAP.

With TTLS PAP, the RADIUS server receives a Cleartext copy of the users password within the TLS tunnel, it can then either hash that password in the same format as the one extracted from the LDAP 
directory and perform a comparison, or use the cleartext password to perform an LDAPv3 bind.

Arran
-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2



More information about the Freeradius-Users mailing list