On 29/09/16 17:25, Alan DeKok wrote:
On Sep 29, 2016, at 12:13 PM, Dom Latter <freeradius-users@latter.org> wrote:
some of you may remember me from a couple of months back asking about NTLM hashed passwords. I gave those a brief go but found that some devices just didn't work with them.
What does that mean?
It means that I replaced 'User-Password' in radcheck with an equivalent 'NT-Password'. And I found that (for example) with one of my guinea pig users, two of his devices continued to connect to the Wifi network just fine, but the third did not.
There is no "device" compatibility issues with NT hashed passwords.
See above. From my customer's point of view, that's a device compatibility issue, whatever it may be at a technical level.
If you want security, store the encrypted passwords in SQL, and then decrypt them on the RADIUS server. That way the SQL database has the passwords but not the decryption key, and the RADIUS server has the decryption key but not the password.
When you say "decrypt them on the radius server" - as far as I could see that would mean writing a new module (or modifying rlm_mschap.c) and re-compiling freeradius - is that what you meant?
It "works", just like putting a Ferrari sticker on your car "works". But it doesn't add any real security. And your car still isn't a Ferrari.
I could not agree more! Thanks for your input.