Sebastian Mauer <sebastian@n-unity.de> wrote:
I just researched a little bit in the freeradius-users list and found out that there have to be clear passwords in the LDAP Direcotry to get FreeRADIUS to work with LDAP. However I think it's not very secure to store the passwords in clear in the Directory, even if there are ACLs in Place.
Too bad. That's how the security protocols were designed. And there are good reasons why they were designed that way.
Is it really not possible to do PEAP (w. MSCHAPv2) when I have NT-Hashes in the Directory?
It *is* possible. But only because the NT hashes are "plain-text equivalent". This means having the NT hash is just as good (for an attacker) as having the clear-text password. So using NT hashes in LDAP may make you *feel* more secure, because they're not "clear-text". But it won't *honestly* be more secure. Why? 5G of disk space and 30 seconds of computer time can turn 90% or more of NT hashes back into clear-text passwords, among other reasons. Alan DeKok.