LDAP/MSCHAP
Whitlow, Michael
mwhitlow at bumail.bradley.edu
Tue Nov 15 20:53:10 CET 2011
I wanted to say thanks to everybody from this list who has given me a hand over the past few weeks. I have successfully configured Freeradius to authenticate 802.1X wireless clients from an AD domain and assign them the appropriate VLAN tag based on AD/LDAP group membership. Many thanks to everybody.
-----Original Message-----
From: freeradius-users-bounces+mwhitlow=bumail.bradley.edu at lists.freeradius.org [mailto:freeradius-users-bounces+mwhitlow=bumail.bradley.edu at lists.freeradius.org] On Behalf Of Sven Hartge
Sent: Sunday, November 13, 2011 8:39 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: LDAP/MSCHAP
Andreas Rudat <rudat at endstelle.de> wrote:
> Am 12.11.2011 23:00, schrieb Sven Hartge:
>> This also means you have to protect those Hashes inside your database
>> like a raw cleartext password, as you can authenticate to any Windows
>> box with the knowledge of the NT/LM-Hash.
>>
>> This has been exploitet by several Windows trojan horses, which
>> grabbed to NT-Hash from the Administrator user to login into other
>> boxes on the network using the same password (or worse: the domain
>> controller).
> Ah much thanks for that clearing, so both is bad no matter which
> mechnism is used.
Yes. Storing the NT-Hash has the advantage of not completley exposing
the cleartext password to a possible intruder. Storing the LM-Hash is
just dumb, because a) it limits the the length of the password to 16
characters and b) LM-Hash is easily broken in seconds by todays
computers.
Storing the raw cleartext password is as bad, but it enables one to use
other challange-handshake auths, if needed.
I chose to store the raw cleartext password in LDAP, but in a different
attribute than the normal userPassword.
This way, if my LDAP servers ever get compromised (or I mess up with an
ACL, enabling anyone to read the cleartext password), just the
WLAN/Dialup-Password of a user is revealed and not the master password
for the account, which is used for mail, login in to computers, etc.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list