On 08/17/2010 09:20 PM, Paul Dugas wrote:
On Tue, Aug 17, 2010 at 4:02 PM, Alan DeKok<aland@deployingradius.com> wrote:
If you do not have clear-text or NT hashed passwords in your LDAP database, then *no* tool will magically make MS-CHAP work. The problem is the method used to store the password. The problem is *not* the tool used to retrieve the password.
If I do have NT hashed passwords in LDAP, is PEAP with ntlm_auth the recommendation?
No. MS-CHAP requires access to the NT hash to execute the challenge/response. This means you have 3 options: 1. Use a datastore containing the NT hash directly. In your case, let the "ldap" module fetch the users NT hash, then the "mschap" module perform challenge/response. 2. Use a datastore containing the cleartext password. Fetch the cleartext password, generate the NT hash, proceed as above NOTE: options 1 & 2 would *not* work if your LDAP server were active directory, since AD doesn't permit access to the passwords or hashes. 3. Hand off the challenge/response to a 3rd party who *does* have access to one of the above. This is typically done by a) installing Samba b) joining a windows domain/active directory and c) using the ntlm_auth helper to pass the challenge/response request to a domain controller. In your case, provided you are using the default configurations, the ldap module will fetch the NT hash, and mschap will do the authentication. The "ntlm_auth" helper is not applicable; it's only used on a samba domain member to pass requests to the domain controller(s).