PEAP with sql - plain Identity

Alan DeKok aland at
Wed Feb 8 19:32:13 CET 2006

"Norbert Grochal" <norboro at> wrote:
> in freeradius users file I can write:
> mylogin Auth-Type = EAP, User-Password := "mypassword"

  Please read eap.conf. Setting Auth-Type is NOT recommended.

> So identity can by any word. I hope mylogin and mypassword is sent to
> radius encrypted, not as plain text.

  That's what MS-CHAP is.

> But when I clear the users file and use sql I have a recerd in radcheck
> table:
> id    UserName    Attribute            op     Value             ...
> (other fields)
> 1     mylogin        User-Password   ==    mypassword   ... (other
> values)

  Please read the "rlm_sql" documentation.  You are *comparing* the
passwords via '=='.  Since, as you said, the client is sending
MS-CHAP, there will be no clear-text password in the request.
Therefore, there will be no clear-text password to compare, and the
comparison will fail.

> But isn't Identity sent as clear text ???

  Yes.  So?

> I want to set Identity as Client Name, not as his login, is it possible?

  I think so.  I'm not sure what you mean by that, though.

  Alan DeKok.

More information about the Freeradius-Users mailing list