802.1x with mschap-radius-ldap with ssha-1 passwords

Matt Ashfield mda at unb.ca
Tue Jul 18 13:07:36 CEST 2006


Hi,

I'm going to ask a follow-up questions here so I'll be better equipped to
answer the same question from others when I explain that we cannot do
802.1x-PEAP with ssha-1 passwords stored in ldap. 

>From what I understand, the reason this won't work is because ssha-1
passwords are 1-way encrypted and therefore cannot be decrypted by the
radius server for comparison of user credentials. Correct?

I guess the obvious question is why can't the Radius server simply perform a
bind attempt to the LDAP server during authentication, as opposed to trying
to compare the password received by the authenticator to the ssha-1 password
stored in ldap?

Thanks


Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
mda at unb.ca 


-----Original Message-----
From: aland at nitros9.org [mailto:aland at nitros9.org] 
Sent: July 17, 2006 7:51 PM
To: mda at unb.ca; FreeRadius users mailing list
Subject: Re: 802.1x with mschap-radius-ldap with ssha-1 passwords

"Matt Ashfield" <mda at unb.ca> wrote:
> I was afraid you'd say that. What would you suggest as a workaround for
this
> problem? Could I do EAP-TTLS using the securew2 client instead?

  Yes.

>  Or am I better off creating a 2nd password attribute on the LDAP
> directory that is maybe encoded as an NT-Password attribute or
> something like that.

  That works once everyone changes their password.

  Alan DeKok.





More information about the Freeradius-Users mailing list