Ben Wiechman wrote:
Background: we use freeradius to provide AAA for our wireless hotspots. We would also like to use radius authentication for our layer 3 switches. This brings up the question of security.
It brings up a question of limited choices.
Which is going to be more secure, md5 hashed passwords in MySQL, or storing the passwords for the switch accounts in the /etc/shadow file
It's effectively the same from a security point of view.
(I had to set the file to world readable to allow the radiusd process to read the file…).
PLEASE don't do that! The comments in radiusd.conf describe how to *properly* let the server read /etc/shadow.
Or is there another, better alternative that I just don’t know about?
If you're doing PEAP for WiFi, you *can't* use MD5 or /etc/shadow passwords. Alan DeKok.