hello :-) "McNutt, Justin M." wrote: > > Okay, so the way that Microsoft's RADIUS server gets away with this is due to the >fact that in > a Microsoft domain, user names and passwords are not stored using strong (one-way) >encryption. > You can decrypt the password file. > > So when an EAP request comes in to an MS RADIUS server, MS decrypts your password, >then > encrypts it again using EAP-MD5, which it can then check against the string that >came from the > NAS. > > Right?
no idea :-) never been in touch with MS Radius and RAS and all this stuff. In any case it has to have the clear text password since it _should_ not be possible to derive the password from the authentication string (there is no proof, though :-)) EAP-TLS has been developed by Mr. Adoba (et al.) who is currently working for Microsoft if I'm not completely mistaken. It represents a complete TLS exchange using EAP. EAP itself is only the negotiation scheme and the carrier frame for the negotiated protocol. So, I guess that the real challenge during the protocol development was the segmentation of TLS packets which can become rather huge with all the certificate stuff in them. EAP-TLS should be natively supported by every WinXP box (well, I'm not sure for the "home edition"...) which is interesting from the customer's/user's point of view. (Besides: Does anybody know something about such support (for WiFi) in Linux? Would be very interesting to get some links.) Above all, EAP-TLS is an alternative because it's not at all limited to a whatever form of passwords and provides for the usage of strong encryption, in contrast to a CHAP-like MD5-protection: D-H exchanges based on different groups, TDES, client- and server certificates, etc., briefly all the stuff which is defined by TLS. Regards, artur PS great job, the support for EAP-TLS in freeradius!!!! thank you! we are trying to test it right know, i would be happy to give some feedback as soon as we have something to tell! (ah) -- hecker -at- enst.fr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
