Hi Tim. You can hack the portal to change users's password if they change them on the portal. You could of course make freeradius authenticate your users from the portal database as well. FreeRadius should work fine against MSSQL but I have never tested it myself. The passwords will not be sent in clear text, that is the whole point. Your PPP users will authenticate with encryption against SQL server with unencrypted passwords. The only danger is someone could break into your Windows box and read users's passwords. Otherwise you're on the safe side. MPPE is for PPPoE/PPTP , and PPTP is used by Microsoft to create VPN connections. This is the same thing, the same encryption method. And yes, PPP is the same protocol as the one used by dialup users. You "dial" your server with username and password pair. After that you're granted access to the rescources you want to share, i.e internet access or access to your LAN. PPPoE and PPTP work a bit differently. With PPTP users need an initial IP, either given them by you or by a DHCP server. This is like if they had a telephone number. Then they "call" your PPTP server using it's IP number. With PPPoE you do not need any initial IP. PPPoE is kinda like DHCP. The clients's software detects a PPPoE server, make a call with username and password and gets all the info needed to access your rescources. Many ISPs use PPPoE for their xDSL connections. We use it for our WLAN customers. It's a very easy and convinient way of dealing with stuff for an ISP. Windows XP users have a native PPPoE client in their OS, other users would need something like RASPPPOE to create a connection. All they need is username and password, everything else is "given" them by your PPPoE server, things like IP, DNS servers, default route, encryption method, compression(or not). If your NAS (network access server) supports it, you can also set up bandwith restrictions on each connection or for all of them. This is also something NAS gets from your database. Pretty cool, isn't it ?
Cheers, YazzY On Fri, 11 Jun 2004 17:27:05 +0800 <[EMAIL PROTECTED]> wrote: > Hi yazzy. > > Wow, thanks for your quick reply! I can bet I saw many of your posts on > google too... :) > > Anyway, just wondering, will it be insecure if the user/passwords are just > left in clear text on a server? > > Actually, I don't really like the idea of having a different user/pass for > the radius authentication and for the portal server authentication... makes > it more difficult should a student forget his/her password... but the worst > thing of all, the school portal server, its MSSQL db and the internal school > network are separated by the entire internet... I'm not sure about the SQL > protocol, but if I were to grab user/pass list from the portal server, does > it mean they'll be in plain text over the internet too? > > Forgive me if I'm wrong, but when you mention ppp and mppe128, I've only > heard of them as dialup/VPN protocols... or can they be used in APs too? > > > Thanks so much, > Tim. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Martin > Jessa > Sent: Friday, June 11, 2004 5:04 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: MD5-hashed passwords? > > Hi Tim. > > If you want to use encryption for your ppp users you need to drop md5 > hashing of your sql passwords. > Just sync your old SQL database with a new one for radius only and put > unencrypted passwords there. > You can use md5 hashed passwords but then you will not be able to use crypto > for your PPP connections. > I'd suggest you to use PPPoE with MPPE128 bit encryption for both passwords > and data. > You will get a slight overhead on data encryption but not much really. > With PPP(oE) you can easly add different bandwith limits for each of the > users, set up user's static or dynamic IPs. > > Cheers, > YazzY > > On Fri, 11 Jun 2004 16:47:43 +0800 > <[EMAIL PROTECTED]> wrote: > > > Hi everyone. > > > > I've tried searching google countless times but can't get the solution, so > > I'm hoping you guys can help me... > > > > Case: I currently have 11 Cisco 350 series APs in a school, and I'd like > to > > move away from using MAC filters (for about 250 users so far) and use a > > radius solution. The students each have access to a portal, but the > > passwords are all hashed with MD5 and stored in a MSSQL database. > > > > Questions: Are there any authentication protocols (that can use MD5 hashed > > passwords) that I could use to authenticate the wireless users? I read > the > > section about using PAP, but should I use it, does it mean that the > > user/pass will be transmitted over the air unencrypted? I'm also hoping > to > > use some sort of dynamic WEP key rotation or TKIP. > > > > Right now when I try to configure the clients, I only see PEAP or > > certificates (which I don't want to use) as methods of 802.1x > > authentication, or LEAP if I use the cisco aironet client... does it mean > > I'm limited to the two for authenticating wireless users? > > > > If I'm able to change the type of encryption used for the portal server's > > password database, which type of encryption is supported by > > EAP/LEAP/freeradius? > > > > I'm very new at network authentication/freeradius/linux, so forgive me if > I > > say something wrong. > > > > > > Thanks, > > Tim. > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
