About EAP-TTLS + MS-CHAPv2 authentication
Yuya Yanagi
peacefull64 at gmail.com
Wed Jul 31 13:52:01 CEST 2019
Hi Alan
I confirmed the following questions.
Passwords stored in LDAP were encrypted with NT hash password.
>> The LDAP server uses OpenLDAP.
> Then the database needs to supply a Cleartext-Password to FreeRAIDUS.
>> Authentication of Wifi_AP and wired LAN does not use AD.
>>
>> The attribute about the user is set to OpenLDAP.
> OK.
> How are the passwords stored in LDAP? Clear text? crypt? Some other method?
> Only Clear text passwords and NT hashed passwords are compatible with MS-CHAPv2.
2019-07-31 0:15 GMT+09:00, Yuya Yanagi <peacefull64 at gmail.com>:
> Alan
>
>>
>> OK.
>>
>> How are the passwords stored in LDAP? Clear text? crypt? Some other
>> method?
>
> The content of the attribute that holds the LDAP password is encrypted.
> Apart from that, there is also an attribute that has an unencrypted
> password, but since it is dangerous if it is described in the log etc,
> encryption is used instead.
>
> It is unclear whether this encrypted password is an NT hashed
> password, so I will check it.
>
> 2019-07-31 0:08 GMT+09:00, Alan DeKok <aland at deployingradius.com>:
>> On Jul 30, 2019, at 11:06 AM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
>>>
>>> Thank you for your reply.
>>>
>>> The LDAP server uses OpenLDAP.
>>
>> Then the database needs to supply a Cleartext-Password to FreeRAIDUS.
>>
>>> Authentication of Wifi_AP and wired LAN does not use AD.
>>>
>>> The attribute about the user is set to OpenLDAP.
>>
>> OK.
>>
>> How are the passwords stored in LDAP? Clear text? crypt? Some other
>> method?
>>
>> Only Clear text passwords and NT hashed passwords are compatible with
>> MS-CHAPv2.
>>
>>> The migration source passes authentication with MS-CHAPv2, but
>>> Maybe you should choose MS-Chapv2?
>>
>> They're the same thing.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list