Hi Alan, your right in what you say, My conclusion is: i could go for EAP-TTLS + xsupplicant (there is also a windows version), then i dont need to weaken my server security, but i force the client to install a 3th party tool or as discuses with Ivan, i could make some rules, based on the NAS-ID or NAS-IP, where to check for the 802.1x users (in users file), right? ill do tomorrow some tests with this solutions and see if i have some problems thanks again for your patience and clear answers, Best Regards, Caius Pargar --- On Thu, 11/12/09, Alan DeKok <aland@deployingradius.com> wrote:
From: Alan DeKok <aland@deployingradius.com> Subject: Re: FR2.1.3+LDAP+802.1x+PEAP To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Thursday, November 12, 2009, 10:18 AM Caius wrote:
i know about the restrictions, but do you know how weak that NT hash is?
Everyone knows.
so i cant afford to make all my user password hash weak...
Perhaps you didn't read the web page on deployingradius.com.
If you want to do PEAP, the ONLY CHOICE you have is whether to store clear-text passwords, or NT hashed passwords.
Saying you "can't afford" to use NT hash is like saying "I want to drive a car, but I can't afford the time to learn how".
also i need to respect some security guidelines in my system.
Too bad. If your security system forbids clear-text passwords && NT hashed passwords, then it forbids EAP.
That's what the web page says. If it's not clear, go read it again.
i could go to use only clear-text for 802.1x users, have a exception for this kid of users.
thats why im thinking to try some filtering... based on the NAS-ID or NAS-IP i might authenticate the users in users file or LDAP, right? :D
Put the 802.1X capable users into an LDAP group. Forbid anyone else from doing 802.1X.
And store the passwords clear-text or NT hashed. Use LDAP ACLs to limit access to them.
Alan DeKok.