EAP-TTLS inner auth methods for 802.1x
Alan DeKok
aland at deployingradius.com
Mon Jan 29 13:07:45 CET 2007
James Lever wrote:
> I'm stuck trying to work out how to avoid sending the password unhashed
> to the server
Why?
> and think that some form of CHAP/MSCHAPv2 might be the
> right way to go. My current thoughts are that I should use PAP with
> SHA1 or SSHA1 but I seem to get the right config (if it is even possible).
If you use PAP, it means cleartext passwords are being sent to the
server. "PAP with SSHA1" is meaningless, because it's contradictory and
impossible.
> If this is feasible/possible, are there any gotcha's with the various
> supplicants to getting this to work from the client side and avoiding
> sending the passwords in cleartext (inside the EAP-TLS tunnel).
See my web page for compatibility issues:
http://deployingradius.com/documents/protocols/compatibility.html
> Also, while I'm here, any suggestions for an appropriate backend
> password store so that there is never a cleartext password except for
> the initial entry (password change) on the server side would be
> appreciated.
Your desires are contradictory. If the password is hashed in
EAP-TTLS, then the server needs the cleartext password in order to
authenticate the user.
I don't understand why giving the server access to the cleartext
passwords is such a terrible thing to do.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list