(RADIATOR) LEAP LDAPv2 password clarification

Hugh Irvine hugh at open.com.au
Mon Jan 12 15:18:58 CST 2004


Hello Joe, Hello Terry -

Terry is correct, this is not a Radiator limitation, rather it is a 
limitation of the authentication method.

See the example configuration file in "goodies/leap.cfg" and the code 
in "Radius/EAP_17.pm".

regards

Hugh


On 13 Jan 2004, at 06:55, Terry Simons wrote:

> Joe,
>
> I'm not very familiar with LEAP, so I can't answer your question 
> directly, but there are problems with other protocols that require 
> clear text passwords... LEAP  might be similar.
>
> PEAP->MSCHAPv2 requires clear text or reversibly encrypted passwords 
> be stored on the server due to the way the authentication takes place. 
>  The MSCHAPv2 hash needs to be done on the server side, with some 
> random data that is gotten per-authentication, so it's not as simple 
> as being able to store a static hash or anything like that.  It 
> requires some access to the clear text password.
>
> I'm not sure how LEAP handles authentication (unfortunately it's 
> proprietary, and people have had to reverse-engineer it) but it might 
> be similar... some one else can probably give you a more definite 
> answer.
>
> - Terry
>
>
> On Jan 12, 2004, at 11:28 AM, Joe Honnold wrote:
>
>> We have radiator currently running and configured for wireless 
>> authentication via TTLS/PAP with the Odessy client
>> I think it works well, but a question has been asked about LEAP 
>> support that I can not answer.
>> Unfortunately the SHA1 encrypted passwords are the issue.
>> Is the clear text password requirement a Radiator limitation?
>> Is so, is there a planned release that will support LEAP with SHA1 
>> encrypted passwords?
>>
>> please advise.
>> joe.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list