questions about eap md5 authentication
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jan 24 15:27:00 CET 2006
Robert WAKIM wrote:
>
> Thanks for the answer. It works if I store the passwords in clear text
> in the ldap database.
>
> What method should I use to store the passwords in md5?
I don't think you use any challenge-response mechanisms with the
passwords MD5 "crypt"ed.
Some MD5-based challenge-response methods (such as Digest-MD5) can work
if you store the derived HA1 value, which is different than the
/etc/passwd-style MD5 "crypt" one-way. I would have to look at the
EAP-MD5 mechanism RFC to see if that were true, but in any case when I
glanced at the 1.0.5 sourcecode of rlm_eap_md5, *it* wasn't written to
be able to make use of the HA1 as far as I could tell.
If you store the ntPassword you can extract that into the NT-Password
radius attribute and use MS-CHAP. Or, depending on what 802.1x
supplicant you're using, you could use TTLS and PAP inner mechanism, and
you can check PAP against any store/crypt.
Note both the HA1 and NT hashes are plaintext-equivalent i.e. if you
steal them it's just as good as having the password, so the security
benefits of storing such a crypt rather than the plaintext are somewhat
questionable IMHO.
More information about the Freeradius-Users
mailing list