"Best" authentication mechanisms for Wi-Fi

Olivier Nicole Olivier.Nicole at cs.ait.ac.th
Tue May 5 12:47:59 CEST 2015


>> In the same newbie language (because I am), you must use
>> EAP/MS-CHAP. This implies that you have your passwords stored in a LMNT
>> compatible way (some flavor of MD4).
>>
>> What I ended with in LDAP is a normal MD5 hashed password for more of
>> the usage and the same password hashed the MS way for Samba and 802.11x
>> (and all the burden to keep the passwords in sync).
> Indeed, I would have preferred to keep our current hashing mechanism,
> that's why I can't really move on to this. And of course, because once
> the passwords are hashed our way, we can't hash them differently, being
> unable to have the clear text ones.

That is why I have both hashes in the database (ldap). I had to ask the
users to change their password once, and the procedure to change the
password would update both passwords in parallel.

I implemented the dual hash many years ago, new users don't even know
about it.

Olivier

>
> Cheers.
>
>
> [1/2:application/pgp-signature Show Save:signature.asc (181B)]
>
>
> [2:text/plain Hide]
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 


More information about the Freeradius-Users mailing list