Cisco WLC + password hashing
Matthew Newton
mcn4 at leicester.ac.uk
Fri Sep 9 10:39:52 CEST 2016
On Thu, Sep 08, 2016 at 08:45:59PM -0500, David Jimenez wrote:
> I am using a Cisco WLC with freeradius and it seems, regardless
> of what I do to the eap config file, the combination of
> freeradius+Cisco 2504 only allows NTLM password hashing.
I'm not sure what you're seeing. The Cisco WLCs just pass EAP
through from the client like any other NAS [should].
> I read that type of hashing is completely vulnerable now. So, is
> it worth implementing it at all or should I just use cleartext?
There's probably not much difference in either. Use EAP-TLS if you
want better security. If it's convenience (which, let's face it,
most people prefer) then PEAP/MSCHAPv2 is the most common.
> Any other users here that have a Cisco WLC, what do you usually
> do in production deployments?
We're using at least EAP-TLS, PEAP/EAP-MSCHAPv2,
EAP-TTLS/MSCHAPv2, EAP-TTLS/PAP.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list