Matt Ashfield a écrit :
Hi,
We’re looking into using PEAP with MSChapV2, instead of PAP (don’t want to use the SecureW2 client anymore) so are investigating ways to store the password in LDAP.
According to http://deployingradius.com/documents/protocols/compatibility.html ,the options are storing the password in Clear-Text or in an NT Hash (ntlm_auth).
In talking with our LDAP people, I was told the following:
SunOne does not support nt-hash passwords. Supported formats are CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.
Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and SSHA512.
This means that your userPassword attribute must contain your password in the previously mentionned has forms. This userPassword attribute is used internally by your LDAP directory in order to authenticate your access (bind) to the LDAP server.
It sounds to me like if we want to do PEAP/MSChapV2 we’d have to store the password in cleartext? I would just like to verify this via this list.
Not necessarily. You may _not_ want to use ldap binding as the authentication process, but only use your LDAP directory as a database backend in which FR will read a given ldap attribute (different from 'userPassword') and maps it to the NT-Hash version of the user password. In other words (setup for FR1.7): * in your LDAP directory entries add a new attribute (that will hold the NT-Hash version of the user password) * update the configuration file ldap.attrmap so that the new ldap attribute maps to the radius NT-Password attribute * setup your rlm_ldap module and use it in the authorize section (NOT the authenticate section) * don't forget to use the mschap module in your authorize section (after the ldap one) so that the MS-CHAP Authentication will see the encrypted user password and sets Auth-Type accordingly Hope this helps, Thibault
Any advice is appreciated.
Thanks
Matt
mda@unb.ca
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html