Problem with LDAP authentication
Matthew Newton
matthew at newtoncomputing.co.uk
Fri May 19 12:09:19 CEST 2017
On Fri, May 19, 2017 at 09:59:49AM +0000, Pircher, Sabine wrote:
> WORKS: Storing the passwords in clear-text in the LDAP database
> (Standard-PosixAccount).
> But in general I don’t like to store any passwords in
> clear-text.
>
> I read this article:
> http://deployingradius.com/documents/protocols/compatibility.html
> and PAP inside EAP-TTLS looks good for me to store encrypted
> passwords, but I’m new to freeradius and authentication.
>
> What’s the best way ‘to do’ it?
Decide on a combination that works for your environment. Which
probably means evaluating what EAP methods your client
supplicants can do and then having to store passwords that are
compatible.
A lot of clients can't do EAP-TTLS/PAP (e.g. Windows 7). So you
end up having to use PEAP/EAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2.
Which means storing the passwords in NTLM hash or cleartext. And
NTLM hash isn't much better than cleartext.
If all your clients support EAP-TTLS/PAP then sure, store the
passwords hashed in whatever method you like.
Or just move to EAP-TLS and use certificates. But the overheads
of that are significantly higher with cert management.
--
Matthew
More information about the Freeradius-Users
mailing list