Using encrypted passwords from LDAP

Alan DeKok aland at deployingradius.com
Fri Aug 7 16:53:37 CEST 2009


Steffen Langhammer wrote:
> Its a bad system and solution in this case.

  The only problem is the failure to understand limitations.

  I didn't say "FreeRADIUS couldn't do it".

  I said "it's impossible".

> Because a cleartext-match isn't the same as a ldap-bind.

  That isn't news.

> I was checking Cisco ACS and there an option handles different LDAP
> Sources with encrypted fields.

  For Access-Requests that contain CLEAR TEXT PASSWORDS.

  It does NOT DO THIS for Access-Requests that contain PEAP.

  FreeRADIUS can authenticate Access-Requests against crypt'd passwords
in LDAP, when the Access-Requests contain a User-Password attribute.

  Why?  Because the table I pointed you to shows that it's POSSIBLE.

  The red entries in the table show what is IMPOSSIBLE.  The text on
that page explains in great detail what your options are if you want to
do the impossible.

  Now stop arguing.  If you think that ACS can do PEAP authentication
using crypt'd passwords in LDAP, then go buy ACS.  Maybe their support
department will convince you that it's impossible.

  If they don't, they won't care, because you'll have paid $5K for a
piece of software that doesn't solve your problem.  You'll then have to
do *ANYWAYS* what I'm telling you: change your requirements.

  Alan DeKok.




More information about the Freeradius-Users mailing list