EAP-pwd and NT-Password
Alan DeKok
aland at deployingradius.com
Thu Oct 6 18:03:05 CEST 2016
On Oct 6, 2016, at 11:39 AM, Brian Candler <b.candler at pobox.com> wrote:
>
> I am looking at testing EAP-pwd [^1] as an alternative to PEAP for wireless authentication.
>
> The documentation in FreeRADIUS is unclear as to what authorization attributes are required, but digging into the source it appears to be a cleartext password:
Yes.
> Now, RFC 5931 offers three options, and one of them is to use the MSCHAPv2 password hash:
>
> " o RFC 2759: The input password string SHALL be processed to produce
> the output PasswordHashHash, as defined in [RFC2759]
Yes. That isn't implemented.
> This would be *really* convenient, as then I could use the control:NT-Password that I already use for PEAP. (The user database is FreeIPA and doesn't store cleartext passwords, but does have the NT hash)
>
> I see the "prep" field and constant definitions are in the source, e.g. EAP_PWD_PREP_MS, but the code appears to be fixed to EAP_PWD_PREP_NONE at the moment.
>
> Is this something which has already been considered?
Not yet. Mostly due to time.
> [^1] It seems that EAP-pwd and EAP-EKE have the same goal, of doing strong mutual authentication with a password. I haven't been able to find any comparison of the strengths and weaknesses of these protocols. But EAP-pwd has the advantage of being deployable: it's supported by Android and by FreeRADIUS.
We should have EAP-EKE in v4 some time soon...
Alan DeKok.
More information about the Freeradius-Users
mailing list