radius+ldap+peap
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Fri May 18 16:19:53 CEST 2007
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>>>> use clear-text passwords in LDAP. If you can't put clear-text
>>>> passwords in LDAP, stop trying to use PEAP.
>> NO ! Calculate the damn NT Hashes... Never put users clear-text
>> passwords in LDAP if you can avoid it.
>
> Step 1: Get it to work.
> Step 2: Get it to work better.
True...
But your encouraging people in bad habits !
It's like all the documentation i've seen telling people to *un-check*
the validate certificate check box in windows xp supplicants ...
>
> Getting past step one involves configuring everything to remove as
> many variables as possible.
>
>> The weak point is the nt4 hash as it has no salt... and there are known
>> issues with md4, but it's still better than leaving everything in cleartext.
>
> For anyone who cares, 99.9% of NT hash'd passwords can be turned back
> into clear-text passwords with 5G of disk space, and a few minutes of work.
>
> The security added by NT hashed passwords is minimal.
Yes, but it stops the annoying student who acquires the manager
credentials from the test documentation wiki which *someone* forgot to
password protect, dumping everyones credentials out in plaintext...
It's hard to stop people who know what they're doing, but fortunately
those people are in the minority....
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users
mailing list