Best/simplest authentication method to validate an encrypted user/password against encrypted known-good.
mcn at freeradius.org
Fri May 1 23:35:57 CEST 2020
On 01/05/2020 22:13, Gleb Lisikh wrote:
> The client uses EAP and MSCHAPv2 for EAP/TLS inner-tunnel authentication.
> And mschap requires Cleartext-Password for known good password. Is there
> any way to substitute such password with an encrypted (e.g. SHA1) string?
MSCHAPv2 can use *only* cleartext password, or NT hash. Nothing else
> Anything I can do to overcome this Cleartext problem?
No, not if you use MSCHAPv2.
> On a side note, I'd also rather not use SQL or LDAP for proving an
> encrypted password
Well, you've got to get the password from somewhere. They're the common
sort of places people use to store user data.
I would advise that you use FreeRADIUS to do the authentication, rather
than trying to do something yourself in one of the language modules,
especially python, for performance reasons.
More information about the Freeradius-Users