Sebastian Mauer <[EMAIL PROTECTED]> wrote: > I just researched a little bit in the freeradius-users list and found > out that there have to be clear passwords in the LDAP Direcotry to get > FreeRADIUS to work with LDAP. However I think it's not very secure to > store the passwords in clear in the Directory, even if there are ACLs in > Place.
Too bad. That's how the security protocols were designed. And there are good reasons why they were designed that way. > Is it really not possible to do PEAP (w. MSCHAPv2) when I have NT-Hashes > in the Directory? It *is* possible. But only because the NT hashes are "plain-text equivalent". This means having the NT hash is just as good (for an attacker) as having the clear-text password. So using NT hashes in LDAP may make you *feel* more secure, because they're not "clear-text". But it won't *honestly* be more secure. Why? 5G of disk space and 30 seconds of computer time can turn 90% or more of NT hashes back into clear-text passwords, among other reasons. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html