I am looking at testing EAP-pwd [^1] as an alternative to PEAP for wireless authentication. The documentation in FreeRADIUS is unclear as to what authorization attributes are required, but digging into the source it appears to be a cleartext password: pw = fr_pair_find_by_num(fake->control, 0, PW_CLEARTEXT_PASSWORD, TAG_ANY); if (!pw) { REDEBUG("Failed to find password for %s to do pwd authentication", session->peer_id); talloc_free(fake); return RLM_MODULE_REJECT; } Now, RFC 5931 offers three options, and one of them is to use the MSCHAPv2 password hash: " o RFC 2759: The input password string SHALL be processed to produce the output PasswordHashHash, as defined in [RFC2759] ... The Prep field represents the password pre-processing technique (see Section 2.7.2) to be used by the client prior to generating the password seed (see Section 2.8.3). This document defines the following values for the Prep field: o 0x00 : None o 0x01 : RFC2759 o 0x02 : SASLprep" This would be *really* convenient, as then I could use the control:NT-Password that I already use for PEAP. (The user database is FreeIPA and doesn't store cleartext passwords, but does have the NT hash) I see the "prep" field and constant definitions are in the source, e.g. EAP_PWD_PREP_MS, but the code appears to be fixed to EAP_PWD_PREP_NONE at the moment. Is this something which has already been considered? Thanks, Brian Candler. [^1] It seems that EAP-pwd and EAP-EKE have the same goal, of doing strong mutual authentication with a password. I haven't been able to find any comparison of the strengths and weaknesses of these protocols. But EAP-pwd has the advantage of being deployable: it's supported by Android and by FreeRADIUS.