>This is correct, but unfortunately in a PEAP(MS->CHAP-V2) exchange, the RADIUS server never >receives the clear text password from the user.
Correct... But I think you are missing the point.
The message above is talking about the cleartext password being available on the server side, read from a database of some kind and not sent by the client as you stated.
>The bottom line:
>PEAP(MS-CHAP-V2) will only work when the >database that the RADIUS server is pointing to >stores the users NT-HASH of their password.
Let's think about this. To get the NT-HASH of the password on the client side you will need to NT-HASH the cleartext password typed in by the user.
Hmmm to get the NT-HASH password on the server side you need to either have the NTHASH of the
clear-text password OR.... have the clear-text password and NT-HASH that... so to add to your bottom line:
PEAP(MS-CHAP-V2) will only work when the database that the RADIUS server is pointing to stores the users NT-HASH of their password or uses a clear-text password to create the NT-HASH.