Matt Ashfield wrote:
During a pap conversation, the radius server ends up with the username/password passed to it from the client. It then encrypts the password to match the encryption of the stored password in ldap (or other directory) and tries a bind. Correct?
No. LDAP bind is done using the clear-text password supplied by the user in the Access-Request. If the "known good" password is stored *hashed* in a DB, then FreeRADIUS isn't doing "LDAP bind". Instead, it pulls the hashed password from the DB, hashes the password in the Access-Request, and compares the two hashes.
During a PEAP conversation, the radius server also would end-up with a username/password received from the client (either via clear-text or via the mschap conversation).
It's almost always MS-CHAP.
Why can it not then encrypt the password just like PAP did? Does it do the comparison to LDAP stored passwords via MSCHAP as well?
If the LDAP server supplies the clear-text password to FreeRADIUS, yes. If it doesn't, LDAP bind won't work, because the Access-Request doesn't contain a clear-text password. And since LDAP servers don't do MS-CHAP, you're left with somehow getting FreeRADIUS to do the job, which means supplying it with the cleartext password. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog