FR2.1.3+LDAP+802.1x+PEAP
Alan DeKok
aland at deployingradius.com
Thu Nov 12 09:18:09 CET 2009
Caius wrote:
> i know about the restrictions,
> but do you know how weak that NT hash is?
Everyone knows.
> so i cant afford to make all my user password hash weak...
Perhaps you didn't read the web page on deployingradius.com.
If you want to do PEAP, the ONLY CHOICE you have is whether to store
clear-text passwords, or NT hashed passwords.
Saying you "can't afford" to use NT hash is like saying "I want to
drive a car, but I can't afford the time to learn how".
> also i need to respect some security guidelines in my system.
Too bad. If your security system forbids clear-text passwords && NT
hashed passwords, then it forbids EAP.
That's what the web page says. If it's not clear, go read it again.
> i could go to use only clear-text for 802.1x users, have a exception for this kid of users.
>
> thats why im thinking to try some filtering... based on the NAS-ID or NAS-IP i might authenticate the users in users file or LDAP, right? :D
Put the 802.1X capable users into an LDAP group. Forbid anyone else
from doing 802.1X.
And store the passwords clear-text or NT hashed. Use LDAP ACLs to
limit access to them.
Alan DeKok.
More information about the Freeradius-Users
mailing list