Hi Alan, I agree with you. Before using EAP-TTLS with PAP, we used MD5 cipher but you need to have the LDAP User-Password in plain-text. Our security requirement in the LDAP database is that the User-Password must be ciphered (CRYPT). We found a good solution using EAP-TTLS with PAP. PAP permits us the authentication with CRYPT password. But, the problem is that LDAP database includes hash header before password, {crypt}XXXXX. How do you compare both passwords????? XXXX == {crypt}XXXX I propose the next solution: XXXX == XXXX Other solution??? Thanks! Alan DeKok wrote:
"Juan C. Sanchez-DelBarrio" <carlos.sanchez@bsc.es> wrote:
I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT PASSWORD. This feature would permit us to cipher the plain password in LDAP using CRYPT hash and compare the CRYPT hash of user password from LDAP with PAP authentication (crypt).
Why? The server already supports pulling the crypt'd password from LDAP, and comparing it to the users password via rlm_ldap.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Juan C. Sanchez-DelBarrio BSC-CNS http://www.bsc.es