Best/simplest authentication method to validate an encrypted user/password against encrypted known-good.

Gleb Lisikh in4bit.general at
Fri May 1 23:13:38 CEST 2020

Thanks a lot Alan! I am making progress at least in my understanding of how
everything flows.

The client uses EAP and  MSCHAPv2 for EAP/TLS inner-tunnel authentication.
And mschap requires Cleartext-Password for known good password. Is there
any way to substitute such password with an encrypted (e.g. SHA1) string?
To your earlier point, I can do the following for PAP (in default or/and
inner-tunnel authorize section) to provide with a hashed password:
config = ( ('SHA-Password', 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d'), )
return (radiusd.RLM_MODULE_OK, reply, config)

But the Auth-Type is preset to MSCHAPv2, and the mschap demands for
Cleartext, and fails if it does not get it.

Anything I can do to overcome this Cleartext problem?

On a side note, I'd also rather not use SQL or LDAP for proving an
encrypted password, but this does not seem to be solving the problem of
mschap needing only Cleartext either, unless I am terribly confused



On Wed, Apr 29, 2020 at 6:02 PM Alan DeKok <aland at>

> On Apr 29, 2020, at 5:03 PM, Gleb Lisikh <in4bit.general at> wrote:
> > I'd like to be able to authenticate a user by comparing password provided
> > with the client's authentication request with what's in a password store.
> > It can be easily done by Clear-Text password, of course, but I cannot
> have
> > a known good password in that password store in Clear-Text form - only
> > encrypted (doesn't really matter how).
>   It does matter how.  FreeRADIUS has to understand the encrypted form in
> order to authenticate the user.
> > So ideally, i'd like to get an encrypted password string from a client,
> and
> > compare it with an encrypted password string retrieved from the known
> good
> > password store.
>   RADIUS doesn't work that way.
>   You can get the clear-text password from the user.  It's in the
> User-Password attribute.  You can get the encrypted password from a
> database such as SQL or LDAP.  The "pap" module will then compare the two.
> > The retrieval of the known good password is done in the
> > python module. And I'd rather not use SQL instead for the Python.
>   The python module should just hand the encrypted password to FreeRADIUS,
> and let FreeRADIUS do the work.
>   See mods-available/pap for documentation on what encrypted formats are
> supported.
> > EAP methods encrypt the whole message using the user passwords as a key
> (as
> > far as I understand it), which complicates the matter...
>   No.  EAP methods do something rather more complex, like TLS.
>   Alan DeKok.

More information about the Freeradius-Users mailing list