Matt Ashfield wrote:
I'm pouring through the alphabet soup of all of this and have a few questions that keep popping up.
During a pap conversation, the radius server ends up with the username/password passed to it from the client. It then encrypts the password to match the encryption of the stored password in ldap (or other directory) and tries a bind. Correct?
Yes
During a PEAP conversation, the radius server also would end-up with a username/password received from the client (either via clear-text or via the mschap conversation). Why can it not then encrypt the password just like PAP did? Does it do the comparison to LDAP stored passwords via MSCHAP as well?
No, miles off. During a PEAP/MS-CHAP conversation, the server ends up with: challenge == random bytes response == HASH(challenge, HASH(password)) If the server has any of: * the plaintext password * HASH(password) i.e. the NT or LM hashes * access to a domain controller which has the NT/LM hashes ...it can check the challenge and response match and that the client is who they say they are.