On 28 Sep 2011, at 16:10, Rosario Lumia wrote: > > > 2011/9/28 Arran Cudbard-Bell <a.cudba...@freeradius.org> > > Sorry, do you mean I have to store in my mailserver cleartext or Md4 > passoword?
I'm saying that in order to do PEAP/MSHCHAPv2 you have to have access to the Cleartext-Password or NT-Password, or be able to proxy the MACHAPv2 data to something else that has access to to the Cleartext-Password or NT-Password attribute (Usually Active Directory). If the CommuniGate box stores this information or lets you populate this information then execute a query to populate control:Cleartext-Password or control:NT-Password in the authorize section of the inner-server after the call to the EAP module. The reason why TTLS-PAP is working, is because the server has a cleartext version of the password from the PAP tunnel which it can send to the CommuniGate box or compare with a value from the CommuniGate box. You can't do this with PEAP because the password is not sent in a reversibly encrypted format. The google description for communigate.com mentions RADIUS, I don't have time to go digging through the manuals, but you might want to check if it'd be possible to proxy RADIUS/EAP authentication to the box, and then just make policy decisions with FreeRADIUS. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
