Best/simplest authentication method to validate an encrypted user/password against encrypted known-good.

Alan DeKok aland at
Sat May 2 21:01:33 CEST 2020

On May 2, 2020, at 1:24 PM, Gleb Lisikh <in4bit.general at> wrote:
> I was able to overcome the need for Cleartext password in MSCHAPv2 EAP inner tunnel authentication by adding python to /usr/local/etc/raddb/sites-enabled/inner-tunnel, as well as returning NT-Password in the config return. 
> No other types of hashing have been otherwise recognized by mschap.

  Yes, that's what you were told.

> It seems like a workable solution for now, unless this would be considered as not in line with best practices and/or will have some undesirable consequences.

  As said before, Cleartext-Password and NT-Password are your only options.  As such, using them is necessary.

  This isn't about "best practices" or "undesirable consequences".  Nothing else works, so these are your *only* practices.

  Alan DeKok.

More information about the Freeradius-Users mailing list