pap/peap confusion
Alan DeKok
aland at deployingradius.com
Wed Feb 14 21:23:12 CET 2007
Matt Ashfield wrote:
> During a pap conversation, the radius server ends up with the
> username/password passed to it from the client. It then encrypts the
> password to match the encryption of the stored password in ldap (or other
> directory) and tries a bind. Correct?
No. LDAP bind is done using the clear-text password supplied by the
user in the Access-Request.
If the "known good" password is stored *hashed* in a DB, then
FreeRADIUS isn't doing "LDAP bind". Instead, it pulls the hashed
password from the DB, hashes the password in the Access-Request, and
compares the two hashes.
> During a PEAP conversation, the radius server also would end-up with a
> username/password received from the client (either via clear-text or via the
> mschap conversation).
It's almost always MS-CHAP.
> Why can it not then encrypt the password just like PAP
> did? Does it do the comparison to LDAP stored passwords via MSCHAP as well?
If the LDAP server supplies the clear-text password to FreeRADIUS,
yes. If it doesn't, LDAP bind won't work, because the Access-Request
doesn't contain a clear-text password.
And since LDAP servers don't do MS-CHAP, you're left with somehow
getting FreeRADIUS to do the job, which means supplying it with the
cleartext password.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list