RE: Authentication against /etc/shadow using ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, CHAP, and MS-CHAP (the inner authentication method used with PEAP) require clear text passwords. Therefore, the shadow password file is not compatible with these methods. This bit me to start with. You could always try TTLS with SYSTEM as the inner authentication mechanism? Alan is a strong proponent of TTLS vs PEAP, and I have to say that in a purist sense, he's absolutely right. Unfortunately, the two largest players in the market have used (two incompatible versions of) PEAP :-(. This means that it is more trivial, particularly with Microsoft based clients, to use PEAP/MS-CHAPv2. Regards, Guy -Original Message- From: José Berenguer [mailto:[EMAIL PROTECTED] Sent: 18 November 2003 12:56 To: [EMAIL PROTECTED] Subject: Authentication against /etc/shadow using ... We are trying to authenticate users with FreeRadius 0.9.2 against the /etc/shadow file in a solaris system. We know that System authentication won't work for EAP-MD5. But, it's possible to make it using CHAP or PEAP? Thanks! ** José Berenguer Giménez Área de Comunicaciones-Servicio de Informática UNIVERSIDAD DE ALMERÍA Crta. de Sacramento s/n, 04120 - Almería Tlf.: 950014014 E-mail: [EMAIL PROTECTED] ** -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP7oj6Y3dwu/Ss2PCEQLwEgCfa8BpLkZkUe1Qvv0VQbJwJhVBF7UAoNLx qmHZ2Al1enQvOwZ0vLgLgN3j =btj/ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against /etc/shadow using ...
salut No, CHAP, and MS-CHAP (the inner authentication method used with PEAP) require clear text passwords. Therefore, the shadow password file is not compatible with these methods. This bit me to start with. so, there is no PAP for PEAP? You could always try TTLS with SYSTEM as the inner authentication mechanism? Alan is a strong proponent of TTLS vs PEAP, and I have to say that in a purist sense, he's absolutely right. Unfortunately, the two largest players in the market have used (two incompatible versions of) PEAP :-(. This means that it is more trivial, particularly with Microsoft based clients, to use PEAP/MS-CHAPv2. well, one thing is for sure: TTLS supports PAP as the inner authentication method. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication against /etc/shadow using ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: 18 November 2003 15:49 To: [EMAIL PROTECTED] Subject: Re: Authentication against /etc/shadow using ... salut No, CHAP, and MS-CHAP (the inner authentication method used with PEAP) require clear text passwords. Therefore, the shadow password file is not compatible with these methods. This bit me to start with. so, there is no PAP for PEAP? Not if you use an MS client, which is the most convincing reason to do so. ;-) Regards, Guy You could always try TTLS with SYSTEM as the inner authentication mechanism? Alan is a strong proponent of TTLS vs PEAP, and I have to say that in a purist sense, he's absolutely right. Unfortunately, the two largest players in the market have used (two incompatible versions of) PEAP :-(. This means that it is more trivial, particularly with Microsoft based clients, to use PEAP/MS-CHAPv2. well, one thing is for sure: TTLS supports PAP as the inner authentication method. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP7pAsY3dwu/Ss2PCEQI0UQCfdwp2VP0JbZvrockuDpNgCyYYETwAn3jM jY49iDOiK2chLJfsISuEvWGi =Elbt -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against /etc/shadow using ...
=?iso-8859-1?Q?Jos=E9?= Berenguer [EMAIL PROTECTED] wrote: We know that System authentication won't work for EAP-MD5. But, it's possible to make it using CHAP or PEAP? No. See the FAQ. It talks SPECIFICALLY about system authentication and CHAP. Microsoft PEAP doesn't send clear-text passwords, so it's impossible to use /etc/password for authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html