Hi, I'm going to ask a follow-up questions here so I'll be better equipped to answer the same question from others when I explain that we cannot do 802.1x-PEAP with ssha-1 passwords stored in ldap.
From what I understand, the reason this won't work is because ssha-1 passwords are 1-way encrypted and therefore cannot be decrypted by the radius server for comparison of user credentials. Correct?
I guess the obvious question is why can't the Radius server simply perform a bind attempt to the LDAP server during authentication, as opposed to trying to compare the password received by the authenticator to the ssha-1 password stored in ldap? Thanks Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 mda@unb.ca -----Original Message----- From: aland@nitros9.org [mailto:aland@nitros9.org] Sent: July 17, 2006 7:51 PM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: 802.1x with mschap-radius-ldap with ssha-1 passwords "Matt Ashfield" <mda@unb.ca> wrote:
I was afraid you'd say that. What would you suggest as a workaround for this problem? Could I do EAP-TTLS using the securew2 client instead?
Yes.
Or am I better off creating a 2nd password attribute on the LDAP directory that is maybe encoded as an NT-Password attribute or something like that.
That works once everyone changes their password. Alan DeKok.