On 11/07/12 14:04, Marco Macala wrote:
if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel.
isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication?
Yes.
as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed.
The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash.
You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires plaintext or NT hash exist SOMEWHERE. See: http://deployingradius.com/documents/protocols/compatibility.html
I want something like this: - encrypted channel between authenticator and radius server
PEAP or TTLS will provide this.
- passwords stored as a salted hash
Only TTLS-PAP will provide this. See the link above. TTLS is not available until Windows 8, so you will need to deploy software on windows clients.