Arran Cudbard-Bell wrote:
use clear-text passwords in LDAP. If you can't put clear-text passwords in LDAP, stop trying to use PEAP.
NO ! Calculate the damn NT Hashes... Never put users clear-text passwords in LDAP if you can avoid it.
Step 1: Get it to work. Step 2: Get it to work better. Getting past step one involves configuring everything to remove as many variables as possible.
The weak point is the nt4 hash as it has no salt... and there are known issues with md4, but it's still better than leaving everything in cleartext.
For anyone who cares, 99.9% of NT hash'd passwords can be turned back into clear-text passwords with 5G of disk space, and a few minutes of work. The security added by NT hashed passwords is minimal. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog