"Best" authentication mechanisms for Wi-Fi

Michael Ströder michael at stroeder.com
Tue May 5 19:52:15 CEST 2015


Olivier Nicole wrote:
>>> In the same newbie language (because I am), you must use
>>> EAP/MS-CHAP. This implies that you have your passwords stored in a LMNT
>>> compatible way (some flavor of MD4).
>>>
>>> What I ended with in LDAP is a normal MD5 hashed password for more of
>>> the usage and the same password hashed the MS way for Samba and 802.11x
>>> (and all the burden to keep the passwords in sync).
>> Indeed, I would have preferred to keep our current hashing mechanism,
>> that's why I can't really move on to this. And of course, because once
>> the passwords are hashed our way, we can't hash them differently, being
>> unable to have the clear text ones.
>
> That is why I have both hashes in the database (ldap). I had to ask the
> users to change their password once, and the procedure to change the
> password would update both passwords in parallel.
>
> I implemented the dual hash many years ago, new users don't even know
> about it.

But bear in mind: With that approach the effective security strength is always 
that of the weaker hash algorithm.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150505/7a97d740/attachment-0001.bin>


More information about the Freeradius-Users mailing list