<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On 28 Sep 2011, at 16:10, Rosario Lumia wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><br><br><div class="gmail_quote">2011/9/28 Arran Cudbard-Bell <span dir="ltr"><<a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a>></span><br></div><br>Sorry, do you mean I have to store in my mailserver cleartext or Md4 passoword?<br></blockquote><br></div><div>I'm saying that in order to do PEAP/MSHCHAPv2 you have to have access to the Cleartext-Password or NT-Password, or be able to proxy the MACHAPv2 data to something else that has access to to the Cleartext-Password or NT-Password attribute (Usually Active Directory).</div><div><br></div><div>If the CommuniGate box stores this information or lets you populate this information then execute a query to populate control:Cleartext-Password or control:NT-Password in the authorize section of the inner-server after the call to the EAP module.</div><div><br></div><div>The reason why TTLS-PAP is working, is because the server has a cleartext version of the password from the PAP tunnel which it can send to the CommuniGate box or compare with a value from the CommuniGate box. You can't do this with PEAP because the password is not sent in a reversibly encrypted format.</div><div><br></div><div>The google description for <a href="http://communigate.com">communigate.com</a> mentions RADIUS, I don't have time to go digging through the manuals, but you might want to check if it'd be possible to proxy RADIUS/EAP authentication to the box, and then just make policy decisions with FreeRADIUS.</div><div><br></div><div>-Arran</div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Arran Cudbard-Bell<br><a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a><br><br>Betelwiki, Betelwiki, Betelwiki....<span class="Apple-converted-space"> </span>http://wiki.freeradius.org/ !</div></span></div></span></span>
</div>
<br></body></html>