Question for the Freeradius programmers/admins: How does the authentication for the Salted SHA-512 get handled? Yes, I know you can pull the hashed/salted password from a sql database or locally, but how does the FreeRadius server compare the users input password which would only be the first 64 bytesand the rest being the salt, when the user has only entered in their username and password at the prompts (I.E. mobile devices or laptops). Doesnt the server need to have the users password and salt to be able to compare the pulled password with the entered in password? Ive been trying to do the format that was discussed earlier by changing our code to be hash/salt appended not prepended, and by using Arrans suggestions of: update control { SSHA2-512-Password := "0x%{sql:query to get hash in hex concatenated with salt in hex}" or update control { Tmp-String-0 := "%{sql:SELECT hash FROM <table> WHERE <clause>}" Tmp-String-1 := "%{sql:SELECT salt FROM <table> WHERE <clause>}" } update control { SSHA2-512-Password := "0x%{control:Tmp-String-0}%{control:Tmp-String-1}" If I use radtest everything works just fine locally, but once PEAP is integrated into the mix, it fails (i.e. laptop,cell phone). Am I reading the protocol compability matrix incorrectly then? Robert Graham Network Engineer U-Haul International 2727 N. Central Ave Phoenix, AZ 85004