Caius wrote:
> regarding your tips:
> a) i dont wanna do, maybe if i have no other choice, ill have 2 password 
> attributes SSHA+NTLM, but its a clear no to clear-text, and a maybe to NT hash

  NTLM is largely a version of MSCHAP for Active Directory.

  If you want to do PEAP authentication, you need clear-text passwords,
or NT hashes.

> b)  need it, so not gonna happen 
> 
> so, as i need to proceed further with my investigation, what are my options 
> really? :D
> 
> i was thinking at the following:
> to do the normal user authentication in LDAP, based on the provided realm, 
> and if no realm present authenticate the users in users file.
> Users which use 802.1x will be saved in clear-text in users file
> and users used for authentication for other stuff, will be checked in LDAP 
> (@mydomain.com)
> 
> 
> or can i switch this around? a user: myu...@dot1x.com will be based on the 
> real authenticated in users file for 802.1x and a user with no realm will be 
> authenticated in LDAP?

  I would suggest using email addresses for 802.1X authentication.
Inventing fake realms is a bad idea.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to