libpam-radius-auth and EAP

Alan DeKok aland at
Thu Mar 11 17:55:49 CET 2010

Sebastien Chapiron wrote:
> I'm trying to setup a radius server in order to authenticate users from
> OpenVPN and I am therefore using the libpam-radius-auth plugin (on
> Ubuntu 9.10).
> Since the RADIUS requests that this lib sends are using PAP (as far as I
> can tell from the freeradius debug output), i was wondering whether it
> would be possible to send EAP message using libpam-radius-auth (or at
> least [MS]CHAP) ?

  Not at this time.

> I don't even know if it makes sense since EAP messages
> are in theory sent between the radius server and the access client (not
> the radius client as libpam-radius-auth enables a host to be).
> The point is that i don't quite like my users' password (connected via
> OpenVPN) to be weakly encrypted by the shared secret between the radius
> client and server 

  That's how RADIUS works.  I would suggest using a secure network to
connect the RADIUS client and server.

> and even worse, visible as plain-text in FR debug output.

  That's how RADIUS works.  Anyone having root on that machine can
decode the passwords.  Anyone running the server in debugging mode can
see the passwords.

  MS-CHAP won't help.  Your passwords are either stored in clear-text in
the database (which means someone can read them), or they're hashed,
which means (pretty much) that only PAP will work.

> P.S: using IPSec to secure the channel between the radius client and
> server is too much pain in the ass to be considered as a viable
> solution. I'm not *that* paranoid !

  <shrug>  Using a real cryptographic protocol to secure network
communications is the only way to have a secure network.

  Alan DeKok.

More information about the Freeradius-Users mailing list