Caius wrote:
regarding your tips: a) i dont wanna do, maybe if i have no other choice, ill have 2 password attributes SSHA+NTLM, but its a clear no to clear-text, and a maybe to NT hash
NTLM is largely a version of MSCHAP for Active Directory. If you want to do PEAP authentication, you need clear-text passwords, or NT hashes.
b) need it, so not gonna happen
so, as i need to proceed further with my investigation, what are my options really? :D
i was thinking at the following: to do the normal user authentication in LDAP, based on the provided realm, and if no realm present authenticate the users in users file. Users which use 802.1x will be saved in clear-text in users file and users used for authentication for other stuff, will be checked in LDAP (@mydomain.com)
or can i switch this around? a user: myuser@dot1x.com will be based on the real authenticated in users file for 802.1x and a user with no realm will be authenticated in LDAP?
I would suggest using email addresses for 802.1X authentication. Inventing fake realms is a bad idea. Alan DeKok.