Re: pap/peap confusion
This is a discussion on Re: pap/peap confusion within the FreeRADIUS Users forums, part of the Networking and Network Related category; Matt Ashfield wrote: > I'm pouring through the alphabet soup of all of this and have a few > ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-14-2007
|
|||
|
|||
Re: pap/peap confusion
Matt Ashfield wrote:
> I'm pouring through the alphabet soup of all of this and have a few > questions that keep popping up. > > During a pap conversation, the radius server ends up with the > username/password passed to it from the client. It then encrypts the > password to match the encryption of the stored password in ldap (or other > directory) and tries a bind. Correct? Yes > > During a PEAP conversation, the radius server also would end-up with a > username/password received from the client (either via clear-text or via the > mschap conversation). Why can it not then encrypt the password just like PAP > did? Does it do the comparison to LDAP stored passwords via MSCHAP as well? No, miles off. During a PEAP/MS-CHAP conversation, the server ends up with: challenge == random bytes response == HASH(challenge, HASH(password)) If the server has any of: * the plaintext password * HASH(password) i.e. the NT or LM hashes * access to a domain controller which has the NT/LM hashes ....it can check the challenge and response match and that the client is who they say they are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
