(RADIATOR) PEAP, MS-CHAPv2 and LDAP

Jonn Martell jonn.martell at ubc.ca
Mon Dec 22 15:36:34 CST 2003


We store the MSCHAPv2 hashes and compare against these.  You do not need 
to store passwords in clear text.

Our system has an LDAP/Oracle backend (non-Microsoft).

We're more than happy to provide any custom code back to open.com.au for 
integration in the main code.

MSCHAPv2 support is essential in supporting PPTP and PEAP for a wireless 
LAN service.

  ... Jonn Martell, Manager, UBC Wireless

Ingvar Berg (LI/EAB) wrote:
> CHAP requires the radius server to have access to the password in plain text, so MD5 or any other hash is ruled out.
> The simple solution is to store the password in plaintext, the more complicated is to store it 2way-encrypted and patch Radiator to decrypt the retrieved password before using it. But you'll have to solve the problem of changing the encryption key.
> 
> /Ingvar 
> 
> 
>>-----Original Message-----
>>From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
>>Behalf Of Sevcik Berndt
>>Sent: den 22 december 2003 11:24
>>To: radiator at open.com.au
>>Subject: (RADIATOR) PEAP, MS-CHAPv2 and LDAP
>>
>>
>>I found the following message in the archive:
>>
>>Tom Riziom's response to my PEAP problem  indicates that PEAP may not 
>>work wirh LDAP as noted below:
>>
>>btw. PEAP-MSCHAPV2 is not supported by an LDAP encrypted database,
>>will need to use clear-text (EAP-TTLS-PAP for example).
>>
>>
>>
>>My understanding that as long as I have an LDAP with MD5 passwords I 
>>should be ok.
>>
>>We're are currently testing OpenLDAP as it supports MD5 passwords so
>>I'm assuming that should work.
>>
>>Any comments?
>>
>>Thanks in advance.
>>
>>John McFadden
>>
>>Is this right that I can use MS-CHAPv2 with OpenLDAP. Why can 
>>I put in an attribut an MD5 encrypted password to use with MS-CHAPv2?
>>
>>Maybe that the reason why I always get Access-Reject when I 
>>try to authenticate against an LDAP Server?
>>
>>
>>Berndt
>>
>>-- 
>>Diese Message wurde erstellt mit freundlicher Unterstuetzung
>>eines freilaufenden Pinguins aus artgerechter Freilandhaltung.
>>Sie ist garantiert frei von Microsoftschen Viren.
>> 
>>-----------------------------------------
>>TGM - Die Schule der Technik
>>IT-Service
>>A-1200 Wien, Wexstr. 19-23
>>Tel. +43(1)33126/316 Fax: +43(1)33126/154
>>E-Mail: berndt.sevcik at tgm.ac.at
>>-----------------------------------------
>>
>>
>>===
>>Archive at http://www.open.com.au/archives/radiator/
>>Announcements on radiator-announce at open.com.au
>>To unsubscribe, email 'majordomo at open.com.au' with
>>'unsubscribe radiator' in the body of the message.
>>
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list