On Fri, May 19, 2017 at 09:59:49AM +0000, Pircher, Sabine wrote:
WORKS: Storing the passwords in clear-text in the LDAP database (Standard-PosixAccount). But in general I don’t like to store any passwords in clear-text.
I read this article: http://deployingradius.com/documents/protocols/compatibility.html and PAP inside EAP-TTLS looks good for me to store encrypted passwords, but I’m new to freeradius and authentication.
What’s the best way ‘to do’ it?
Decide on a combination that works for your environment. Which probably means evaluating what EAP methods your client supplicants can do and then having to store passwords that are compatible. A lot of clients can't do EAP-TTLS/PAP (e.g. Windows 7). So you end up having to use PEAP/EAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2. Which means storing the passwords in NTLM hash or cleartext. And NTLM hash isn't much better than cleartext. If all your clients support EAP-TTLS/PAP then sure, store the passwords hashed in whatever method you like. Or just move to EAP-TLS and use certificates. But the overheads of that are significantly higher with cert management. -- Matthew