On 10 Nov 2014, at 14:01, E.S. Rosenberg <esr+freeradius-users@mail.hebrew.edu> wrote:
Hi all, I was doing some research into the authentication protocol used by a VPN solution we are trying and cam across this fairly old thread on your list: http://freeradius.1045715.n5.nabble.com/Chap-auhtentication-against-LDAP-td2...
Which in turn links to a nice page by Alan DeKok here: http://deployingradius.com/documents/protocols/compatibility.html
Which left me asking myself 2 questions: 1. Did anything change in the past 5 years, is there any decently supported protocol that does support hashed passwords (other then PAP)?
Windows 8 now supports EAP-TTLS-PAP.
2. How can it be that all these protocols were designed with the idea that the auth server should have a cleartext copy of the users' password, haven't we all known for years now that that's a bad idea?
Passwords in general are shit security. If you want something secure use EAP-TLS it's supported by every major supplicant. The private key need only be known to one party (the supplicant). If you still want passwords for 2FA, allow the users to set encryption keys for the private cert. Then, if your DB is compromised there's nothing to leak, except user identities. Most of the difficulties around managing PKI are imagined. For OSX and Windows you can easily generate network profiles that bundle personal certs with the settings required to connect to Wired/Wireless Networks and VPNs. If you're concerned about passwords being compromised stop using passwords. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2