Best/simplest authentication method to validate an encrypted user/password against encrypted known-good.

Gleb Lisikh in4bit.general at
Sat May 2 19:24:13 CEST 2020

I was able to overcome the need for Cleartext password in MSCHAPv2 EAP
inner tunnel authentication by adding python
to /usr/local/etc/raddb/sites-enabled/*inner-tunnel,* as well as returning
*NT-Password* in the config return.
No other types of hashing have been otherwise recognized by mschap.

It seems like a workable solution for now, unless this would be considered
as not in line with best practices and/or will have some undesirable

Any comments are welcome.

Thank you,


On Fri, May 1, 2020 at 5:13 PM Gleb Lisikh <in4bit.general at> wrote:

> Thanks a lot Alan! I am making progress at least in my understanding of
> how everything flows.
> The client uses EAP and  MSCHAPv2 for EAP/TLS inner-tunnel authentication.
> And mschap requires Cleartext-Password for known good password. Is there
> any way to substitute such password with an encrypted (e.g. SHA1) string?
> To your earlier point, I can do the following for PAP (in default or/and
> inner-tunnel authorize section) to provide with a hashed password:
> ##########
> config = ( ('SHA-Password', 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d'), )
> return (radiusd.RLM_MODULE_OK, reply, config)
> #########
> But the Auth-Type is preset to MSCHAPv2, and the mschap demands for
> Cleartext, and fails if it does not get it.
> Anything I can do to overcome this Cleartext problem?
> On a side note, I'd also rather not use SQL or LDAP for proving an
> encrypted password, but this does not seem to be solving the problem of
> mschap needing only Cleartext either, unless I am terribly confused
> Regards,
> Gleb
> On Wed, Apr 29, 2020 at 6:02 PM Alan DeKok <aland at>
> wrote:
>> On Apr 29, 2020, at 5:03 PM, Gleb Lisikh <in4bit.general at>
>> wrote:
>> > I'd like to be able to authenticate a user by comparing password
>> provided
>> > with the client's authentication request with what's in a password
>> store.
>> > It can be easily done by Clear-Text password, of course, but I cannot
>> have
>> > a known good password in that password store in Clear-Text form - only
>> > encrypted (doesn't really matter how).
>>   It does matter how.  FreeRADIUS has to understand the encrypted form in
>> order to authenticate the user.
>> > So ideally, i'd like to get an encrypted password string from a client,
>> and
>> > compare it with an encrypted password string retrieved from the known
>> good
>> > password store.
>>   RADIUS doesn't work that way.
>>   You can get the clear-text password from the user.  It's in the
>> User-Password attribute.  You can get the encrypted password from a
>> database such as SQL or LDAP.  The "pap" module will then compare the two.
>> > The retrieval of the known good password is done in the
>> > python module. And I'd rather not use SQL instead for the Python.
>>   The python module should just hand the encrypted password to
>> FreeRADIUS, and let FreeRADIUS do the work.
>>   See mods-available/pap for documentation on what encrypted formats are
>> supported.
>> > EAP methods encrypt the whole message using the user passwords as a key
>> (as
>> > far as I understand it), which complicates the matter...
>>   No.  EAP methods do something rather more complex, like TLS.
>>   Alan DeKok.

More information about the Freeradius-Users mailing list