About EAP-TTLS + MS-CHAPv2 authentication

Yuya Yanagi peacefull64 at gmail.com
Wed Jul 31 13:52:01 CEST 2019


Hi Alan

I confirmed the following questions.
Passwords stored in LDAP were encrypted with NT hash password.


>> The LDAP server uses OpenLDAP.

>  Then the database needs to supply a Cleartext-Password to FreeRAIDUS.

>> Authentication of Wifi_AP and wired LAN does not use AD.
>>
>> The attribute about the user is set to OpenLDAP.

>  OK.

>  How are the passwords stored in LDAP?  Clear text?  crypt?  Some other method?

>  Only Clear text passwords and NT hashed passwords are compatible with MS-CHAPv2.


2019-07-31 0:15 GMT+09:00, Yuya Yanagi <peacefull64 at gmail.com>:
> Alan
>
>>
>>   OK.
>>
>>   How are the passwords stored in LDAP?  Clear text?  crypt?  Some other
>> method?
>
> The content of the attribute that holds the LDAP password is encrypted.
> Apart from that, there is also an attribute that has an unencrypted
> password, but since it is dangerous if it is described in the log etc,
> encryption is used instead.
>
> It is unclear whether this encrypted password is an NT hashed
> password, so I will check it.
>
> 2019-07-31 0:08 GMT+09:00, Alan DeKok <aland at deployingradius.com>:
>> On Jul 30, 2019, at 11:06 AM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
>>>
>>> Thank you for your reply.
>>>
>>> The LDAP server uses OpenLDAP.
>>
>>   Then the database needs to supply a Cleartext-Password to FreeRAIDUS.
>>
>>> Authentication of Wifi_AP and wired LAN does not use AD.
>>>
>>> The attribute about the user is set to OpenLDAP.
>>
>>   OK.
>>
>>   How are the passwords stored in LDAP?  Clear text?  crypt?  Some other
>> method?
>>
>>   Only Clear text passwords and NT hashed passwords are compatible with
>> MS-CHAPv2.
>>
>>> The migration source passes authentication with MS-CHAPv2, but
>>> Maybe you should choose MS-Chapv2?
>>
>>   They're the same thing.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list