Caius wrote: > regarding your tips: > a) i dont wanna do, maybe if i have no other choice, ill have 2 password > attributes SSHA+NTLM, but its a clear no to clear-text, and a maybe to NT hash
NTLM is largely a version of MSCHAP for Active Directory. If you want to do PEAP authentication, you need clear-text passwords, or NT hashes. > b) need it, so not gonna happen > > so, as i need to proceed further with my investigation, what are my options > really? :D > > i was thinking at the following: > to do the normal user authentication in LDAP, based on the provided realm, > and if no realm present authenticate the users in users file. > Users which use 802.1x will be saved in clear-text in users file > and users used for authentication for other stuff, will be checked in LDAP > (@mydomain.com) > > > or can i switch this around? a user: myu...@dot1x.com will be based on the > real authenticated in users file for 802.1x and a user with no realm will be > authenticated in LDAP? I would suggest using email addresses for 802.1X authentication. Inventing fake realms is a bad idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html