19
edits
Changes
Add password hash section
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when NI&S rotates the certificates being used (at least every 2 years), the configuration will need to be updated to match the new certificate.
===Getting your network password hash===
MSCHAPv2 verifies the NT4 hash of your password, not the password itself. This means knowing the hash of the password is sufficient to connect to authenticate. Depending on the client, you may be able to store the hash in your config instead of the password. To reiterate, '''this hash is just as sensitive as your password'''. The hash is less human memorable, though, and does act as a deterrent to shoulder-surfing.
To derive the password hash, you can:
<pre>
printf 'YOUR-NETW-ORKP-SSWD' \
| iconv -f ASCII -t UTF-16LE \
| openssl md4 \
| cut -d ' ' -f 2
</pre>
===A Word of Caution===
