Secure Storage and Transport of User Credentials

Wed Jul 11 15:38:44 CEST 2012

Thanks for the information, your really helped me A LOT!

I already looked into  http://deployingradius.com/**documents/protocols/**
compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html>
but
I hoped there could be some way around this.

2012/7/11 Phil Mayers <p.mayers at imperial.ac.uk>

> On 11/07/12 14:04, Marco Macala wrote:
>
>>  > if you dont trust the network then you will also need to looking at
>> using TLS to transport
>>  > things around - eg RADSEC or a VPN tunnel.
>>
>> isn't the point of PEAP that i don't need them because it is wrapped in
>> an encrypted communication?
>>
>
> Yes.
>
>
>
>>
>>  > as for NT hash - yes, there are security issues but only if you have
>> access to them
>>  > or expose them - if you bind the FreeRADIUS system to an AD and use
>> eg ntlm_auth then the NThash
>>  > isnt accessed.
>>
>> The thing is, i can't use AD to store the passwords. Specifically, i
>> would like to store the password as a salted hash.
>>
>
> You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires
> plaintext or NT hash exist SOMEWHERE. See:
>
> http://deployingradius.com/**documents/protocols/**compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html>
>
>
>
>
>> I want something like this:
>> - encrypted channel between authenticator and radius server
>>
>
> PEAP or TTLS will provide this.
>
>
>  - passwords stored as a salted hash
>>
>
> Only TTLS-PAP will provide this. See the link above. TTLS is not available
> until Windows 8, so you will need to deploy software on windows clients.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120711/2f6aa339/attachment.html>