Hi, I'm going to ask a follow-up questions here so I'll be better equipped to answer the same question from others when I explain that we cannot do 802.1x-PEAP with ssha-1 passwords stored in ldap.
>From what I understand, the reason this won't work is because ssha-1 passwords are 1-way encrypted and therefore cannot be decrypted by the radius server for comparison of user credentials. Correct? I guess the obvious question is why can't the Radius server simply perform a bind attempt to the LDAP server during authentication, as opposed to trying to compare the password received by the authenticator to the ssha-1 password stored in ldap? Thanks Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: July 17, 2006 7:51 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: 802.1x with mschap-radius-ldap with ssha-1 passwords "Matt Ashfield" <[EMAIL PROTECTED]> wrote: > I was afraid you'd say that. What would you suggest as a workaround for this > problem? Could I do EAP-TTLS using the securew2 client instead? Yes. > Or am I better off creating a 2nd password attribute on the LDAP > directory that is maybe encoded as an NT-Password attribute or > something like that. That works once everyone changes their password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html