NTLM hashed passwords.

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Jul 15 17:52:40 CEST 2016


> On Jul 15, 2016, at 11:34 AM, Dom Latter <freeradius-users at latter.org> wrote:
> 
> Hi all,
> 
> for a couple of years now we have been using freeradius to support
> a Wifi network.  We are using WPA2-Enterprise.  We need to support
> clients running any and every operating system.
> 
> Currently we store passwords as plain text in a "radcheck" table
> in the database.
> 
> I am experimenting with replacing "User-Password" (yes, I know it
> should be "Cleartext-Password") with an "NT-Password" generated by
> smbencrypt.
> 
> So far it seems mostly okay with Windows, Android, iOS and MacOS.
> And Linux.
> 
> Are there any pitfalls or gotchas to watch out for?  Any
> systems that only do MSCHAPv1 (which I believe requires
> the plain text password).

No. All modern supplicants and authentication clients use MSCHAPv2.

The most common applications are PEAPv0 and PPTP.

There's not a huge advantage in storing unsalted MD4 hashed passwords.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160715/99efe72b/attachment.sig>


More information about the Freeradius-Users mailing list