On Fri, 2006-01-13 at 12:35 -0500, Roger Spencer wrote: > I'm working on getting wireless network clients to do authentication via > radius plugged into Fedora DS. Windows will do PEAP for authentication, > which encrypts the mschapv2 password check. FreeRadius supports this > and all works well, except... > > For Radius to do mschapv2, using Fedora DS, the NT hash of the password > must be in the directory. It cannot use the regular user's password. > > I used a perl script to hash a password and put it in a user's entry, > using ntusercomment (for lack of finding a better field), told > FreeRadius that ntusercomment is the NT-Password field it's looking for, > and I was able to successfully authenticate from a Windows box over the > wireless card using WAP. Obviously this is not a good long term solution. > > 1) Does anyone know of a better way to store NT password hashes in the > directory? > > 2) Is there a way to update the hash when the user changes their > password? Maybe have DS call a perl script when a password change occurs? > > 3) Is there a better way of doing this? > ---- I am unclear how you are doing authentication by Windows users to the network in a normal login...via AD? anyway, my inclination is to setup Fedora-DS to use samba schema http://directory.fedora.redhat.com/wiki/Howto:Samba as that would give you a sambaNTPassword attribute which is normally the hashed password as expected but how that relates to question #2...updating the hash when the user changes their password...I suppose that would depend upon the chain of events that occur where/when the user changes their password...how is this information going to be sent to fedora-ds? Craig
