PEAP without credentials

Sebastian Müller crazybug at bsdberlin.org
Fri Sep 16 15:30:13 CEST 2005


Hi,
I thought the username/passwd is transfered while the shake-hand. So it
wouldn't be able to reuse this transfered (encrypted or not) password
for the connection? - Any maybe store it in a database for some time.
I am no crypt-expert, so I don't know if the user-password is transfered
crypted or not. When I look in my radius log, it shows me the clear-text
password of everyone who tries to auth. I would use that transfer to
copy username & Passwd and store it in a db, so for the rest of the auth
and autz the server would have the passwd. ... or am i wrong in my mind?

cu
Sebastian


On Fri, 2005-09-16 at 13:12 +0200, Stefan.Neis at t-online.de wrote:
>           Hello,
> 
> > Hi, is there a way, to tell the freeradius to accept an incoming peap
> > request, without asking for user credentials, or to accept any
> > credentials?
> 
> No, I don't think so.
> 
> > Currently needed to use the credentials guest/guest. It would be
> > simpler to accept any credentials, without loosing the encryption.
> 
> The problem is, encryption is based on the clear-text user password,
> so this _must_ be stored on the server somehow (e.g. by using
> guest/guest). While you can accept arbitrary PEAP requests, there's no
> way to extract the clear text password from the request, thus the
> server can't get the key for the encryption.
> 
>         HTH,
>                  Stefan
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list