Using PAM to authenticate Radius auth requests with PEAP
yossie at laszlosystems.com
Fri Oct 14 02:27:31 CEST 2005
A co-worker of mine here has been asking questions of the list today
but I have some of my own.
Namely, I don't know much about how Radius does it's magic, but
unless I am completely off the bat here, it appears to me that some
sort of channel is created between the Radius client and the server
over which requests are sent. These requests include a user and a
password and other information. The radius server will then compare
the user and password to the ones in it's configured database and
either authenticate or not.
Unix passwords are encrypted through a one-way function and stored in
a password file. These passwords can no longer be reversed back to
their "clear text" format but it is possible to take a "clear text"
user and password (from the radius client) and convert it to this
format and compare the two thus matching, or not.
I can imagine that PEAP, specifically, does the password encryption
on the client and passes that on, using a similar but obviously not
the same, one way encryption algorithm, thus requiring the radius
server to have access to a clear text password which it would encrypt
with the same key and algorithm in order to match to the one from
If this is the case, than I can readily see how it can never (never
being a long time) be possible to use these sorts of passwords along
with UNIX encrypted passwords. This is a darn shame, but if it is
indeed the case, so be it.
I am asking the list if this is the case or if the reason
authentication isn't possible is a simple programming effort that
hasn't been done.
Also, given our setup:
Client: Cisco Wireless AP (1200)
Server: Linux running Freeradius
What is the optimal means to provide maximum security and still be
able to authenticate against the unix shadow password file?
Thank you for your time - Yossie
More information about the Freeradius-Users