[RADIATOR] Unicode in nthash passwords
C R
publist.cr at gmail.com
Wed Apr 15 14:58:12 UTC 2026
Good to know, Ondra.
We are evaluating options for PEAP (byod) and roaming EAP-TLS users. I
was thinking on not storing NT hashes because of security concerns and
add a native LDAP password attribute. You can do auths in waterfall if
yoy need to support both during a migration. The only problem I
foresee is that I may need to compare hashes myself. I offload
radiator auths to our own REST backends to keep to load light and the
flow async on the Radiator frontends.
C.
Le mer. 15 avr. 2026 à 15:22, Hosek, Ondrej via radiator
<radiator at lists.open.com.au> a écrit :
>
> Hi C.,
>
> On Wed, 2026-04-15 at 15:02 +0200, C R wrote:
> > so I guess one of the few options
> > would be EAP-TTLS with an application password. This way the main
> > password can be used for SSO with MFA support while the Network one
> > can be used without it.
>
> Yup, our network password is already independent of our SSO password.
>
> However, both PEAP and EAP-TTLS seem to require the choice of an inner
> authentication protocol, and I expect many of our clients will have
> "allow MSCHAPv2 and nothing else" configured. Thus, until we decide to
> take the plunge and tell everyone to switch to PAP (and assuage their
> fears that although Windows' connection settings call it "unencrypted
> password", it's always transmitted over an encrypted channel), we are
> stuck with NT hashes in the database.
>
> We follow eduroam recommendations and allow both PEAP and EAP-TTLS.
>
> Cheers,
> ~~ Ondra
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list