Secure Storage and Transport of User Credentials
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jul 11 15:21:44 CEST 2012
On 11/07/12 14:04, Marco Macala wrote:
> > if you dont trust the network then you will also need to looking at
> using TLS to transport
> > things around - eg RADSEC or a VPN tunnel.
>
> isn't the point of PEAP that i don't need them because it is wrapped in
> an encrypted communication?
Yes.
>
>
> > as for NT hash - yes, there are security issues but only if you have
> access to them
> > or expose them - if you bind the FreeRADIUS system to an AD and use
> eg ntlm_auth then the NThash
> > isnt accessed.
>
> The thing is, i can't use AD to store the passwords. Specifically, i
> would like to store the password as a salted hash.
You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires
plaintext or NT hash exist SOMEWHERE. See:
http://deployingradius.com/documents/protocols/compatibility.html
>
> I want something like this:
> - encrypted channel between authenticator and radius server
PEAP or TTLS will provide this.
> - passwords stored as a salted hash
Only TTLS-PAP will provide this. See the link above. TTLS is not
available until Windows 8, so you will need to deploy software on
windows clients.
More information about the Freeradius-Users
mailing list