Wireless WPA2 enterprise Radius authentication

[John Dennis]

On 10/27/2010 07:11 PM, Sven Hartge wrote:
> You need a password in the clear in your LDAP directory, not hashed. I use a
> different (self defined) attribute in my LDAP directory to do this and
> use ldap.attrmap to map this attribute (called gifb-NetzPassword in my
> schema) to the required RADIUS-Attribute-Name:
>
> checkItem       Cleartext-Password              gifb-NetzPassword

Sven knows this but probably just forgot to mention this. No matter 
which ldap attribute you choose to store the clear text password in make 
sure it is absolutely locked down with LDAP ACI's (Access Controls). 
Consult your LDAP documentation for the exact syntax since it tends to 
vary with different servers. The ACI should permit only the LDAP 
administrator and the radius user (the special user account assigned 
exclusively to the radius *server*) to access the password attribute.

You may additionally provide an extra level of protection if some one 
gets access to the actual disk files (or backup's) of the LDAP store by 
asking your ldap server to reversibly encrypt the attribute used to 
store the cleartext password. Not all LDAP servers have this feature but 
many do.

Finally, many people would argue it's never a good idea to store 
cleartext passwords under any circumstance. There is much validity to 
that argument and you should give it careful consideration.

Another option besides storing cleartext is to use a multivalued LDAP 
attribute with different hashes, including the nt hash. But whether you 
go the cleartext route or the multivalued password attribute route 
you'll have to get your users to renter their passwords so you can 
generate the hashes. Consult your LDAP documentation, many LDAP servers 
can be configured when storing a password to generate a variety of 
hashes and then throw the cleartext away leaving only the specified 
hashes in LDAP.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/