Freeradius doesn't detect EAP when authenticating against MySQL

Alan DeKok aland at deployingradius.com
Tue Oct 23 09:12:03 CEST 2007


preem wrote:
> So, what is a common practice to do this then?

  It's not.

  People store MD5 or crypt'd passwords when the ONLY authentication
they're doing is PAP.  i.e. Unix logins, where the user supplies a
clear-text password to the authentication system.

  For many EAP types, people do NOT store MD5 or crypt'd passwords,
because they're useless.

> I understand its not very
> safe nor sane to store passwords in clear text, thats why I wanted to avoid
> that, however it seems inevitable.

  It is safe, sane, and common practice to store passwords in clear text.

> I am managing a wired network for some 300 users, its a student dorm and the
> university owns the network and they require authentication for the ease of
> management and control. 802.1x felt like the right way to go, because we are
> planning some wireless access points as well. There are HP's Procurve 2650
> switches in use. I choose mysql db backend, because I also created set of
> PHP scripts, where users can change their passwords and admin can
> add/del/modify user info.
> So what can one do to avoid storing passes in clear text or is it sane
> enough? The server also serves some web pages and dhcp requests.

  Ensure that no one has physical access to the system storing the
passwords.  Ensure that no one has network access to the system storing
the passwords.

  I would also suggest running the RADIUS server and/or the MySQL server
with passwords on a separate machine from the web/dhcp server.  That
way, if someone breaks into the web server, they won't have access to
the passwords.

  Alan DeKok.



More information about the Freeradius-Users mailing list