FR2.1.3+LDAP+802.1x+PEAP

Caius caiuspolgar at yahoo.com
Fri Nov 13 09:06:49 CET 2009 

Hi Alan,

your right in what you say,
My conclusion is:
i could go for EAP-TTLS + xsupplicant (there is also a windows version), then i dont need to weaken my server security, but i force the client to install a 3th party tool

or as discuses with Ivan, i could make some rules, based on the NAS-ID or NAS-IP,  where to check for the 802.1x users (in users file), right?

ill do tomorrow some tests with this solutions and see if i have some problems

thanks again for your patience and clear answers,

Best Regards,
Caius Pargar

--- On Thu, 11/12/09, Alan DeKok <aland at deployingradius.com> wrote:

> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: FR2.1.3+LDAP+802.1x+PEAP
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Date: Thursday, November 12, 2009, 10:18 AM
> Caius wrote:
> > i know about the restrictions,
> > but do you know how weak that NT hash is? 
> 
>   Everyone knows.
> 
> > so i cant afford to make all my user password hash
> weak...
> 
>   Perhaps you didn't read the web page on
> deployingradius.com.
> 
>   If you want to do PEAP, the ONLY CHOICE you have is
> whether to store
> clear-text passwords, or NT hashed passwords.
> 
>   Saying you "can't afford" to use NT hash is like
> saying "I want to
> drive a car, but I can't afford the time to learn how".
> 
> > also i need to respect some security guidelines in my
> system.
> 
>   Too bad.  If your security system forbids
> clear-text passwords && NT
> hashed passwords, then it forbids EAP.
> 
>   That's what the web page says.  If it's not
> clear, go read it again.
> 
> > i could go to use only clear-text for 802.1x users,
> have a exception for this kid of users.
> > 
> > thats why im thinking to try some filtering... based
> on the NAS-ID or NAS-IP i might authenticate the users in
> users file or LDAP, right? :D
> 
>   Put the 802.1X capable users into an LDAP
> group.  Forbid anyone else
> from doing 802.1X.
> 
>   And store the passwords clear-text or NT
> hashed.  Use LDAP ACLs to
> limit access to them.
> 
>   Alan DeKok.
>

More information about the Freeradius-Users mailing list