(RADIATOR) PEAP, MS-CHAPv2 and LDAP

Ingvar Berg (LI/EAB) ingvar.berg at ericsson.com
Mon Dec 22 05:31:39 CST 2003 

CHAP requires the radius server to have access to the password in plain text, so MD5 or any other hash is ruled out.
The simple solution is to store the password in plaintext, the more complicated is to store it 2way-encrypted and patch Radiator to decrypt the retrieved password before using it. But you'll have to solve the problem of changing the encryption key.

/Ingvar 

> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> Behalf Of Sevcik Berndt
> Sent: den 22 december 2003 11:24
> To: radiator at open.com.au
> Subject: (RADIATOR) PEAP, MS-CHAPv2 and LDAP
> 
> 
> I found the following message in the archive:
> 
> Tom Riziom's response to my PEAP problem  indicates that PEAP may not 
> work wirh LDAP as noted below:
> 
> btw. PEAP-MSCHAPV2 is not supported by an LDAP encrypted database,
> will need to use clear-text (EAP-TTLS-PAP for example).
> 
> 
> 
> My understanding that as long as I have an LDAP with MD5 passwords I 
> should be ok.
> 
> We're are currently testing OpenLDAP as it supports MD5 passwords so
> I'm assuming that should work.
> 
> Any comments?
> 
> Thanks in advance.
> 
> John McFadden
> 
> Is this right that I can use MS-CHAPv2 with OpenLDAP. Why can 
> I put in an attribut an MD5 encrypted password to use with MS-CHAPv2?
> 
> Maybe that the reason why I always get Access-Reject when I 
> try to authenticate against an LDAP Server?
> 
> 
> Berndt
> 
> -- 
> Diese Message wurde erstellt mit freundlicher Unterstuetzung
> eines freilaufenden Pinguins aus artgerechter Freilandhaltung.
> Sie ist garantiert frei von Microsoftschen Viren.
>  
> -----------------------------------------
> TGM - Die Schule der Technik
> IT-Service
> A-1200 Wien, Wexstr. 19-23
> Tel. +43(1)33126/316 Fax: +43(1)33126/154
> E-Mail: berndt.sevcik at tgm.ac.at
> -----------------------------------------
> 
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list