Article:  |
A Technical Comparison of TTLS and PEAP | |
| Subject: | MS-Chap is designed for MS Databases | |
| Date: | 2003-07-07 08:51:37 | |
| From: | anonymous2 | |
|
Response to: Clarifications
|
||
|
Here is the issue: When using the MS-CHAP or MS-CHAPv2 protocols, the Challange exchange between the RADIUS server and the supplicant are based on the NT-Hash of the users password. This means that the Database that the RADIUS server looks at needs to have access to the NT-Hash of the users password, not the clear text version of the password. This is fine if your database happens to be Active Directory, because this is how passwords are stored in AD, but if it is LDAP, or SQL, you would have to go through some process to get the NT-hash of all your users passwords into this other database. This is why EAP-MSChapv2 (and thus Micosoft's PEAP supplicant) is really only good if your database is Microsoft. |
||
Showing messages 1 through 2 of 2.
-
Funk Software RADIUS support MS-CHAP-V2 in Solaris
2003-07-07 17:53:52 anonymous2 [Reply | View]
For your Information, Funk has recently released its latest RADIUS server running on the both Windows and Solaris platform.
I have tested the solaris version and it supports Microsoft PEAP (which requires MS-CHAP-V2 for inner-authentication). It worked fine with Microsoft XP Service Pack 1 PEAP and Funk's client software 'Odyssey Client'.
I don't think nobody can say which protocol is which. It is only the decision of the network administrators or wlan security policy admin to use PEAP or TTLS.
But if I am, I will use TTLS with Funk. Easier but expensive.
It is trivial to create the hash from the clear text password, and this can be done by the RADIUS server during authentication. SQL databases typically store the password in clear text.