radius+ldap+peap
Alan DeKok
aland at deployingradius.com
Fri May 18 15:59:28 CEST 2007
Arran Cudbard-Bell wrote:
>>> use clear-text passwords in LDAP. If you can't put clear-text
>>> passwords in LDAP, stop trying to use PEAP.
>
> NO ! Calculate the damn NT Hashes... Never put users clear-text
> passwords in LDAP if you can avoid it.
Step 1: Get it to work.
Step 2: Get it to work better.
Getting past step one involves configuring everything to remove as
many variables as possible.
> The weak point is the nt4 hash as it has no salt... and there are known
> issues with md4, but it's still better than leaving everything in cleartext.
For anyone who cares, 99.9% of NT hash'd passwords can be turned back
into clear-text passwords with 5G of disk space, and a few minutes of work.
The security added by NT hashed passwords is minimal.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list