"Best" authentication mechanisms for Wi-Fi
michael at stroeder.com
Tue May 5 19:52:15 CEST 2015
Olivier Nicole wrote:
>>> In the same newbie language (because I am), you must use
>>> EAP/MS-CHAP. This implies that you have your passwords stored in a LMNT
>>> compatible way (some flavor of MD4).
>>> What I ended with in LDAP is a normal MD5 hashed password for more of
>>> the usage and the same password hashed the MS way for Samba and 802.11x
>>> (and all the burden to keep the passwords in sync).
>> Indeed, I would have preferred to keep our current hashing mechanism,
>> that's why I can't really move on to this. And of course, because once
>> the passwords are hashed our way, we can't hash them differently, being
>> unable to have the clear text ones.
> That is why I have both hashes in the database (ldap). I had to ask the
> users to change their password once, and the procedure to change the
> password would update both passwords in parallel.
> I implemented the dual hash many years ago, new users don't even know
> about it.
But bear in mind: With that approach the effective security strength is always
that of the weaker hash algorithm.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
More information about the Freeradius-Users