Nicolas Goutte wrote:
Am 20.05.2008 um 16:05 schrieb Dean, Barry:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use
MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that
EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with
CHAP inner auth all failed.
So you have explained why EAP-TTLS (CHAP) fails, thanks!
So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius
config broken?
As far as I understand, the password for MS-CHAP is MD4 on UTF-16LE.
So if you have only a password for MS-CHAP, you do not have a MD5
version of the password.
That's correct. We don't use AD so didn't have the NT Hash of the users
password in out LDAP directory. We used transparent credential capture
on one of our major web applications over a few months to populate the
NT Password field.
Here is a nice one-liner (well three with the example) in PHP
<?php
$str = 'myPassword'
$hash =
bin2hex(mhash(MHASH_MD4,mb_substr(mb_convert_encoding($str,'UCS-2LE','auto'),0,128)));
echo $hash;
?>
---------------
Barry Dean
Networks Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Have a nice day!
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services (IT Services)
E1-1-08, Engineering 1, University Of Sussex, Brighton
EXT: +44 1273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
