Hello Dom, Why don't you go with EAP-TTLS+PAP ? Plain-text password transferred over TLS-secured channel let you use any hashing algorithm you want in your database. Sure, you have to pay attention for proper device configuration with your CA certificate. On Thu, Sep 29, 2016 at 7:13 PM, Dom Latter <freeradius-users@latter.org> wrote:
Hi,
[tech details at end [1]]
some of you may remember me from a couple of months back asking about NTLM hashed passwords. I gave those a brief go but found that some devices just didn't work with them.
The requirement - a commercial and marketing requirement, not a technical one - has not gone away and it is that we can say that we do not store the passwords in plain text.
I have concocted a scheme whereby we do that - the following goes into dialup.conf and is I hope self-explanatory:
authorize_check_query = "SELECT id, username, attribute, value, op \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ AND attribute != 'AES-Password' \ UNION \ SELECT id, username, 'User-Password', \ AES_DECRYPT(UNHEX(value), 'aeskey'), op \ FROM radcheck \ WHERE username = '%{SQL-User-Name}' \ AND attribute = 'AES-Password' \ ORDER BY id"
We replace User-Password with AES-Password, decrypt it in the sql query and pass it back to radius /as/ User-Password. (Or Cleartext-Password is more likely in the final implementation).
Yes, the key is now held in /etc/freeradius and if someone gets that as well as the database then it's much the same as storing the passwords in plain text. But we can *say* that they are stored encrypted - and there may be a slight edge in security, as a file in /etc/ *may* be less vulnerable than a mysql database.
Any thoughts on this scheme?
thanks
dom
[1] wifi network with aerohive access points; freeradius with mysql data store; WPA2-Enterprise, MSCHAPv2, no control whatsoever over what the users want to connect to the network. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
-- Bogdan Rudas Head of Minsk IT Support Department Exadel Inc. http://www.exadel.com/ E-mail: brudas@exadel.com Skype ID: bogdan.rudas -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.