PEAP w/ freeradius to LDAP storing ntPassword

Nelson Vale nelsonduvall at gmail.com
Wed Oct 6 23:58:14 CEST 2010 

2010/10/6 schilling <schilling2006 at gmail.com>

> There is smbencrypt radius-utils to generate LM Hash and NT Hash,  Any
> known good perl script to do this?
>

You can use Crypt::SmbHash (from CPAN).


> sding at palm:/usr/bin$ smbencrypt schilling
> LM Hash                                 NT Hash
> --------------------------------        --------------------------------
> D134D8CD21607749DD4218F5E59DD23A
>
> AF8AC3EF6579FC768515F960FB2096AC
>
>
>
> Then which one is required?
>

NT Hash is required.


>
> Any format requirement in the ldap? Or just copy the 32 character and
> put in the ldap?
>
>
Just put the NT Hash in the sambaNTPassword field in LDAP.


> Thanks.
>
> Schilling
>
> On Wed, Oct 6, 2010 at 2:19 PM, Alan DeKok <aland at deployingradius.com>
> wrote:
> > schilling wrote:
> >> We are trying to use ldap as backend database for dot1x peap
> >> authentication thru freeradius.  The following link has good
> >> explanation.
> >>
> >> http://vuksan.com/linux/dot1x/802-1x-LDAP.html
> >
> >  Note it's 5 years old...
> >
> >> But do we really need both ntpassword and lmpassword in the ldap
> directory?
> >
> >  No.
> >
> >> windows client send username and ntpassword to NAS
> >> NAS send the username/ntpassword to radius in a tunnel
> >> radius unwrap the tunnel, using the username to fetch the ntpassword
> >> from ldap, do a comparison of ldap returned ntpassword and unwrapped
> >> ntpassword, if they are the same, authentication accept.
> >
> >  No.  It's a *lot* more complicated than that.
> >
> >  All you need to do is to uncomment "ldap" in
> > raddb/sites-available/inner-tunnel, and it should work.
> >
> >  Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101006/1f3416b5/attachment.html>

More information about the Freeradius-Users mailing list