Hi Alan, your right in what you say, My conclusion is: i could go for EAP-TTLS + xsupplicant (there is also a windows version), then i dont need to weaken my server security, but i force the client to install a 3th party tool
or as discuses with Ivan, i could make some rules, based on the NAS-ID or NAS-IP, where to check for the 802.1x users (in users file), right? ill do tomorrow some tests with this solutions and see if i have some problems thanks again for your patience and clear answers, Best Regards, Caius Pargar --- On Thu, 11/12/09, Alan DeKok <al...@deployingradius.com> wrote: > From: Alan DeKok <al...@deployingradius.com> > Subject: Re: FR2.1.3+LDAP+802.1x+PEAP > To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> > Date: Thursday, November 12, 2009, 10:18 AM > Caius wrote: > > i know about the restrictions, > > but do you know how weak that NT hash is? > > Everyone knows. > > > so i cant afford to make all my user password hash > weak... > > Perhaps you didn't read the web page on > deployingradius.com. > > If you want to do PEAP, the ONLY CHOICE you have is > whether to store > clear-text passwords, or NT hashed passwords. > > Saying you "can't afford" to use NT hash is like > saying "I want to > drive a car, but I can't afford the time to learn how". > > > also i need to respect some security guidelines in my > system. > > Too bad. If your security system forbids > clear-text passwords && NT > hashed passwords, then it forbids EAP. > > That's what the web page says. If it's not > clear, go read it again. > > > i could go to use only clear-text for 802.1x users, > have a exception for this kid of users. > > > > thats why im thinking to try some filtering... based > on the NAS-ID or NAS-IP i might authenticate the users in > users file or LDAP, right? :D > > Put the 802.1X capable users into an LDAP > group. Forbid anyone else > from doing 802.1X. > > And store the passwords clear-text or NT > hashed. Use LDAP ACLs to > limit access to them. > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html