FR2.1.3+LDAP+802.1x+PEAP

Caius caiuspolgar at yahoo.com
Thu Nov 12 08:58:11 CET 2009


Hi Ivan,

i know about the restrictions,
but do you know how weak that NT hash is? 
from what i know its MD4 hashing, where is that use nowadays? not even MD5 is used anymore ... 
the MD4 algorithm was one of the earliest MD algorithms ... made in '90, and MD5 came as a improvement and is to this day the most popular. MD5 should be the most secure of the MD bunch but even so it has been shown to be abnormally susceptible to collisions, and its use is now actively discouraged

so i cant afford to make all my user password hash weak... also i need to respect some security guidelines in my system.

i could go to use only clear-text for 802.1x users, have a exception for this kid of users.

thats why im thinking to try some filtering... based on the NAS-ID or NAS-IP i might authenticate the users in users file or LDAP, right? :D


thank you again for your thoughts on this

Best Regards,
Caius Pargar


--- On Wed, 11/11/09, tnt at kalik.net <tnt at kalik.net> wrote:

> From: tnt at kalik.net <tnt at kalik.net>
> Subject: Re: FR2.1.3+LDAP+802.1x+PEAP
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Date: Wednesday, November 11, 2009, 8:53 PM
> > my problem was that in LDAP i
> have the passwords save as SSHA, so i cant
> > do 802.1x with EAP/PEAP/mschap
> >
> > as i dont wanna change my LDAP configuration to store
> the passwords in
> > clear-text, or to use samba.scheme and to use NT hash.
> The only option
> > remaining from my view point was to try and
> distinguish between normal
> > authentication and 802.1x authentication
> >
> > thats why i came up with this realm stuff, to be able
> to authenticate
> > 802.1x users in the users file (where i have
> user/passwords in clear-text)
> > and normal users in LDAP (SSHA)
> 
> Ugh, how does that make sense? Why don't you want nt or
> clear passwords in
> ldap? Security? But it's so much easier to read a plain
> text (users) file
> than break into ldap.
> 
> > thats why i was asking if, its possible, and if it
> functional, or maybe
> > there is another solution then the one provided by
> Alan (to not use
> > 802.1x) :D
> 
> There is only one solution if you want to use 802.1x: store
> passwords that
> peap can use.
> 
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 


      



More information about the Freeradius-Users mailing list