On 08/17/2010 09:20 PM, Paul Dugas wrote:
On Tue, Aug 17, 2010 at 4:02 PM, Alan DeKok<al...@deployingradius.com> wrote:
If you do not have clear-text or NT hashed passwords in your LDAP
database, then *no* tool will magically make MS-CHAP work. The problem
is the method used to store the password. The problem is *not* the tool
used to retrieve the password.
If I do have NT hashed passwords in LDAP, is PEAP with ntlm_auth the
recommendation?
No.
MS-CHAP requires access to the NT hash to execute the
challenge/response. This means you have 3 options:
1. Use a datastore containing the NT hash directly. In your case, let
the "ldap" module fetch the users NT hash, then the "mschap" module
perform challenge/response.
2. Use a datastore containing the cleartext password. Fetch the
cleartext password, generate the NT hash, proceed as above
NOTE: options 1 & 2 would *not* work if your LDAP server were active
directory, since AD doesn't permit access to the passwords or hashes.
3. Hand off the challenge/response to a 3rd party who *does* have
access to one of the above. This is typically done by a) installing
Samba b) joining a windows domain/active directory and c) using the
ntlm_auth helper to pass the challenge/response request to a domain
controller.
In your case, provided you are using the default configurations, the
ldap module will fetch the NT hash, and mschap will do the
authentication. The "ntlm_auth" helper is not applicable; it's only used
on a samba domain member to pass requests to the domain controller(s).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
