On 26/6/09 15:19, Aaron Mahler wrote:
On Jun 26, 2009, at 10:00 AM, Arran Cudbard-Bell wrote:
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
What EAP method are you using... The different EAP methods have different requirements.
Well, again, I'm trying to work from a default Freeradius installation. I'd be happy to revert back to a fresh Freeradius install and step through this all again in a systematic manner. I just remain uncertain on the overall viability of LDAP/EAP in this context due to so many contradictory references I've seen about where clear-text needs to exist or not exist in the relationship.
They're not contradictory. You know EAP is only a framework right? There are many different EAP Types which run within it. The different EAP Types require the users credentials to be stored in different forms. You appear to be using PEAPv0. With PEAPv0 and a standard LDAP directory you have three options: 1) Store the users Password in Clear-Text 2) Store the users password as an NT4-Password/LM Hash. For NT4 (the more secure one) it's an MD4 hash of a 16bit unicode encoding of the users password. 3) Choose another EAP method. I suggest you install SecureW2 on your clients (assuming they're windows) and use TTLS-PAP. With TTLS PAP, the RADIUS server receives a Cleartext copy of the users password within the TLS tunnel, it can then either hash that password in the same format as the one extracted from the LDAP directory and perform a comparison, or use the cleartext password to perform an LDAPv3 bind. Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2