AW: PAP dont decrypt
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jul 23 10:36:08 CEST 2010
On 07/23/2010 09:18 AM, Lionne Stangier wrote:
>> You have edited the default configuration files and broken them.
>
>> You deleted "eap" from the "authorize" section, and then sent the
>> server and EAP request. Don't do that.
>
> It was only a try ;)
Sadly, many people take a hatchet to the configs then seem surprised
when things don't work! Best to make small changes one at a time and
test them, and put your configs into version control so you can roll
them back.
>
>> And if the passwords are stored as MD5, go read:
>
>> http://deployingradius.com/documents/protocols/compatibility.html
>
> I know this side because of that I tested pap.
>
>> Some EAP methods (e.g. PEAP) will *not* work with MD5 hashed
>> passwords. So don't even try.
>
> I know that they don’t work. Clear Text passwords in the ldap are a no go.
> Cant pap encrypt the passwords and than eap or peap will start?
"Won't work" really means it. PEAP/MS-CHAP requires access to the
plaintext password or NT/LM hashes, or access to a domain controller
with such via use of the "ntlm_auth" helper and Samba.
It is cryptographically impossible for it to be otherwise I'm afraid.
More information about the Freeradius-Users
mailing list