Best/simplest authentication method to validate an encrypted user/password against encrypted known-good.

Matthew Newton mcn at
Fri May 1 23:35:57 CEST 2020

On 01/05/2020 22:13, Gleb Lisikh wrote:
> The client uses EAP and  MSCHAPv2 for EAP/TLS inner-tunnel authentication.
> And mschap requires Cleartext-Password for known good password. Is there
> any way to substitute such password with an encrypted (e.g. SHA1) string?

MSCHAPv2 can use *only* cleartext password, or NT hash. Nothing else 
will work.


> Anything I can do to overcome this Cleartext problem?

No, not if you use MSCHAPv2.

> On a side note, I'd also rather not use SQL or LDAP for proving an
> encrypted password

Well, you've got to get the password from somewhere. They're the common 
sort of places people use to store user data.

I would advise that you use FreeRADIUS to do the authentication, rather 
than trying to do something yourself in one of the language modules, 
especially python, for performance reasons.


More information about the Freeradius-Users mailing list