802.1x with mschap-radius-ldap with ssha-1 passwords
Matt Ashfield
mda at unb.ca
Tue Jul 18 13:07:36 CEST 2006
Hi,
I'm going to ask a follow-up questions here so I'll be better equipped to
answer the same question from others when I explain that we cannot do
802.1x-PEAP with ssha-1 passwords stored in ldap.
>From what I understand, the reason this won't work is because ssha-1
passwords are 1-way encrypted and therefore cannot be decrypted by the
radius server for comparison of user credentials. Correct?
I guess the obvious question is why can't the Radius server simply perform a
bind attempt to the LDAP server during authentication, as opposed to trying
to compare the password received by the authenticator to the ssha-1 password
stored in ldap?
Thanks
Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
mda at unb.ca
-----Original Message-----
From: aland at nitros9.org [mailto:aland at nitros9.org]
Sent: July 17, 2006 7:51 PM
To: mda at unb.ca; FreeRadius users mailing list
Subject: Re: 802.1x with mschap-radius-ldap with ssha-1 passwords
"Matt Ashfield" <mda at unb.ca> wrote:
> I was afraid you'd say that. What would you suggest as a workaround for
this
> problem? Could I do EAP-TTLS using the securew2 client instead?
Yes.
> Or am I better off creating a 2nd password attribute on the LDAP
> directory that is maybe encoded as an NT-Password attribute or
> something like that.
That works once everyone changes their password.
Alan DeKok.
More information about the Freeradius-Users
mailing list