On 01/05/2020 22:13, Gleb Lisikh wrote:
The client uses EAP and MSCHAPv2 for EAP/TLS inner-tunnel authentication. And mschap requires Cleartext-Password for known good password. Is there any way to substitute such password with an encrypted (e.g. SHA1) string?
MSCHAPv2 can use *only* cleartext password, or NT hash. Nothing else will work. See http://deployingradius.com/documents/protocols/compatibility.html
Anything I can do to overcome this Cleartext problem?
No, not if you use MSCHAPv2.
On a side note, I'd also rather not use SQL or LDAP for proving an encrypted password
Well, you've got to get the password from somewhere. They're the common sort of places people use to store user data. I would advise that you use FreeRADIUS to do the authentication, rather than trying to do something yourself in one of the language modules, especially python, for performance reasons. -- Matthew