Clarifications

Article:		A Technical Comparison of TTLS and PEAP
Subject:		Clarifications
Date:		2003-06-13 12:48:08
From:		anonymous2
Response to: Clarifications
The information seems technically incorrect. MSCHAP does not require passwords stored in plain-text; and this is considered one of the many advantages of MSCHAP compared to CHAP. CHAP requires the password to be stored in plain-text. MSCHAP protocol can be used with SQL. A number of RADIUS servers support PPP-MSCHAP with SQL. If there is indeed a real demand for SQL with MSCHAPv2, then it maybe just a question of time before RADIUS vendors support it.

Showing messages 1 through 2 of 2.

MS-Chap is designed for MS Databases
2003-07-07 08:51:37 anonymous2 [Reply | View]

Here is the issue: When using the MS-CHAP or MS-CHAPv2 protocols, the Challange exchange between the RADIUS server and the supplicant are based on the NT-Hash of the users password. This means that the Database that the RADIUS server looks at needs to have access to the NT-Hash of the users password, not the clear text version of the password. This is fine if your database happens to be Active Directory, because this is how passwords are stored in AD, but if it is LDAP, or SQL, you would have to go through some process to get the NT-hash of all your users passwords into this other database. This is why EAP-MSChapv2 (and thus Micosoft's PEAP supplicant) is really only good if your database is Microsoft.