Hi, [tech details at end [1]] some of you may remember me from a couple of months back asking about NTLM hashed passwords. I gave those a brief go but found that some devices just didn't work with them. The requirement - a commercial and marketing requirement, not a technical one - has not gone away and it is that we can say that we do not store the passwords in plain text. I have concocted a scheme whereby we do that - the following goes into dialup.conf and is I hope self-explanatory: authorize_check_query = "SELECT id, username, attribute, value, op \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ AND attribute != 'AES-Password' \ UNION \ SELECT id, username, 'User-Password', \ AES_DECRYPT(UNHEX(value), 'aeskey'), op \ FROM radcheck \ WHERE username = '%{SQL-User-Name}' \ AND attribute = 'AES-Password' \ ORDER BY id" We replace User-Password with AES-Password, decrypt it in the sql query and pass it back to radius /as/ User-Password. (Or Cleartext-Password is more likely in the final implementation). Yes, the key is now held in /etc/freeradius and if someone gets that as well as the database then it's much the same as storing the passwords in plain text. But we can *say* that they are stored encrypted - and there may be a slight edge in security, as a file in /etc/ *may* be less vulnerable than a mysql database. Any thoughts on this scheme? thanks dom [1] wifi network with aerohive access points; freeradius with mysql data store; WPA2-Enterprise, MSCHAPv2, no control whatsoever over what the users want to connect to the network.