I wanted to say thanks to everybody from this list who has given me a hand over the past few weeks. I have successfully configured Freeradius to authenticate 802.1X wireless clients from an AD domain and assign them the appropriate VLAN tag based on AD/LDAP group membership. Many thanks to everybody.
-----Original Message----- From: freeradius-users-bounces+mwhitlow=bumail.bradley....@lists.freeradius.org [mailto:freeradius-users-bounces+mwhitlow=bumail.bradley....@lists.freeradius.org] On Behalf Of Sven Hartge Sent: Sunday, November 13, 2011 8:39 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP/MSCHAP Andreas Rudat <ru...@endstelle.de> wrote: > Am 12.11.2011 23:00, schrieb Sven Hartge: >> This also means you have to protect those Hashes inside your database >> like a raw cleartext password, as you can authenticate to any Windows >> box with the knowledge of the NT/LM-Hash. >> >> This has been exploitet by several Windows trojan horses, which >> grabbed to NT-Hash from the Administrator user to login into other >> boxes on the network using the same password (or worse: the domain >> controller). > Ah much thanks for that clearing, so both is bad no matter which > mechnism is used. Yes. Storing the NT-Hash has the advantage of not completley exposing the cleartext password to a possible intruder. Storing the LM-Hash is just dumb, because a) it limits the the length of the password to 16 characters and b) LM-Hash is easily broken in seconds by todays computers. Storing the raw cleartext password is as bad, but it enables one to use other challange-handshake auths, if needed. I chose to store the raw cleartext password in LDAP, but in a different attribute than the normal userPassword. This way, if my LDAP servers ever get compromised (or I mess up with an ACL, enabling anyone to read the cleartext password), just the WLAN/Dialup-Password of a user is revealed and not the master password for the account, which is used for mail, login in to computers, etc. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html