On 11/07/12 14:04, Marco Macala wrote:
> if you dont trust the network then you will also need to looking at
using TLS to transport
> things around - eg RADSEC or a VPN tunnel.
isn't the point of PEAP that i don't need them because it is wrapped in
an encrypted communication?
Yes.
> as for NT hash - yes, there are security issues but only if you have
access to them
> or expose them - if you bind the FreeRADIUS system to an AD and use
eg ntlm_auth then the NThash
> isnt accessed.
The thing is, i can't use AD to store the passwords. Specifically, i
would like to store the password as a salted hash.
You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires
plaintext or NT hash exist SOMEWHERE. See:
http://deployingradius.com/documents/protocols/compatibility.html
I want something like this:
- encrypted channel between authenticator and radius server
PEAP or TTLS will provide this.
- passwords stored as a salted hash
Only TTLS-PAP will provide this. See the link above. TTLS is not
available until Windows 8, so you will need to deploy software on
windows clients.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
