Olivier Nicole wrote:
In the same newbie language (because I am), you must use EAP/MS-CHAP. This implies that you have your passwords stored in a LMNT compatible way (some flavor of MD4).
What I ended with in LDAP is a normal MD5 hashed password for more of the usage and the same password hashed the MS way for Samba and 802.11x (and all the burden to keep the passwords in sync). Indeed, I would have preferred to keep our current hashing mechanism, that's why I can't really move on to this. And of course, because once the passwords are hashed our way, we can't hash them differently, being unable to have the clear text ones.
That is why I have both hashes in the database (ldap). I had to ask the users to change their password once, and the procedure to change the password would update both passwords in parallel.
I implemented the dual hash many years ago, new users don't even know about it.
But bear in mind: With that approach the effective security strength is always that of the weaker hash algorithm. Ciao, Michael.