Hi Ivan, i know about the restrictions, but do you know how weak that NT hash is? from what i know its MD4 hashing, where is that use nowadays? not even MD5 is used anymore ... the MD4 algorithm was one of the earliest MD algorithms ... made in '90, and MD5 came as a improvement and is to this day the most popular. MD5 should be the most secure of the MD bunch but even so it has been shown to be abnormally susceptible to collisions, and its use is now actively discouraged so i cant afford to make all my user password hash weak... also i need to respect some security guidelines in my system. i could go to use only clear-text for 802.1x users, have a exception for this kid of users. thats why im thinking to try some filtering... based on the NAS-ID or NAS-IP i might authenticate the users in users file or LDAP, right? :D thank you again for your thoughts on this Best Regards, Caius Pargar --- On Wed, 11/11/09, tnt@kalik.net <tnt@kalik.net> wrote:
From: tnt@kalik.net <tnt@kalik.net> Subject: Re: FR2.1.3+LDAP+802.1x+PEAP To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Wednesday, November 11, 2009, 8:53 PM
my problem was that in LDAP i have the passwords save as SSHA, so i cant do 802.1x with EAP/PEAP/mschap
as i dont wanna change my LDAP configuration to store the passwords in clear-text, or to use samba.scheme and to use NT hash. The only option remaining from my view point was to try and distinguish between normal authentication and 802.1x authentication
thats why i came up with this realm stuff, to be able to authenticate 802.1x users in the users file (where i have user/passwords in clear-text) and normal users in LDAP (SSHA)
Ugh, how does that make sense? Why don't you want nt or clear passwords in ldap? Security? But it's so much easier to read a plain text (users) file than break into ldap.
thats why i was asking if, its possible, and if it functional, or maybe there is another solution then the one provided by Alan (to not use 802.1x) :D
There is only one solution if you want to use 802.1x: store passwords that peap can use.
Ivan Kalik Kalik Informatika ISP