On 23 Feb 2015, at 15:48, Robert Graham <robert_graham@uhaul.com> wrote:
Question for the Freeradius programmers/admins:
How does the authentication for the Salted SHA-512 get handled?
Yes, I know you can pull the hashed/salted password from a sql database or locally, but how does the FreeRadius server compare the users input password which would only be the first 64 bytesand the rest being the salt, when the user has only entered in their username and password at the prompts (I.E. mobile devices or laptops). Doesnt the server need to have the users password and salt to be able to compare the pulled password with the entered in password?
It needs the user's plaintext password yes. For EAP you'd need to use EAP-TTLS-PAP or some other method that'd give you the plaintext password. EAP-PEAP wraps MSCHAPv2 in TLS, and MSCHAPv2 doesn't give you the plaintext password.
If I use radtest everything works just fine locally,
Great
but once PEAP is integrated into the mix, it fails (i.e. laptop,cell phone). Am I reading the protocol compability matrix incorrectly then?
Yep. EAP-PEAP will only work if in the database, the user's password is MD4 hashed or it's in plaintext. There's a great article here which shows why knowing the MD4 password works: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ ...and also shows why MSCHAPv2 isn't a great idea unless you can guarantee the TLS tunnel it established with a trusted party. If you could give us an idea of the client systems that'll be authenticating we might be able to offer suggestions on what EAP flavour/supplicant might work. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2