I use a freeradius server acting as 802.1x authentication server. Windows OS use EAP-PEAP encryption by default. That means Windows sends out an encrypted credential to my radius server, and I can not decode it to a clear text password. But without a clear text password, how can I do authenticating in ldap server? Because passwords stored in ldap server are encrypted by some algorithms like MD5, how can I compare the two encrypted passwords encrypted by different algorithms?
1
votes
3 Answers
1
votes
You can't. See this compatibility matrix.
You can store passwords in LDAP as Cleartext or as NT-Passwords (unsalted MD4 of 16bit UTF encoding).
As Windows now supports EAP-TTLS-PAP most people use that where they don't have access to the cleartext password or active directory server.
1
votes
Came here looking for the same answer as to how to setup FreeRadius + LDAP + EAP-PEAP for 802.1X WiFi
After some research and more googling , it turns out you can set it up, with very little effort , just need to change a setting in /etc/freeradius/mods-enabled/eap
search for peap type eap , there should be something like
## EAP-PEAP
peap {
tls = tls-common
default_eap_type = mschapv2
...
}
change that to
peap {
tls = tls-common
default_eap_type = gtc
...
}
restart the service and try your connection
Check these links for more details
https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP_Generic_Token_Card_(EAP-GTC)
http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073992.html
https://support.google.com/a/answer/9089736
https://support.google.com/a/answer/9048516?hl=en&ref_topic=9048334
https://community.ui.com/questions/Guide-to-get-Unifi-FreeRadius-Google-LDAP-G-Suite-set-up-in-docker/36af593f-73b1-4943-8e22-9a81b10db9ae
