FreeRadius/PEAP

Phil Mayers p.mayers at imperial.ac.uk
Thu Oct 13 23:53:31 CEST 2005


James Taylor wrote:
> Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2?  Do I do
> this in the EAP.CONF file?  What we are basically trying to do is use
> FreeRadius to authenticate against our current user database on our linux
> server while still maintaining the PEAP-TLS security with wireless.  Is that
> even possible?  
> 

PEAP can have several inner types. One of these is "GTC" (generic token 
card) which sends a prompt and asks for a response. I believe the prompt 
can be "password" and the response the actual password.

How well windows' GTC support works I couldn't tell you, though I know 
it's there.

See the "gtc" section in "eap.conf"

PAM would not help; as Josh says, MSCHAPv2 needs the NT/LM hashes, which 
means either having the hashes, or the plaintext password to generate 
them from, not a "crypt". In any event, PAM seems to work very badly 
because of threading issues.



More information about the Freeradius-Users mailing list