Freeradius doesn't detect EAP when authenticating against MySQL
primoz
primski at gmail.com
Tue Oct 23 10:08:22 CEST 2007
On 10/23/07, Alan DeKok <aland at deployingradius.com> wrote:
>
> preem wrote:
> > So, what is a common practice to do this then?
>
> It's not.
>
> People store MD5 or crypt'd passwords when the ONLY authentication
> they're doing is PAP. i.e. Unix logins, where the user supplies a
> clear-text password to the authentication system.
And PAP is not very safe and smart way to go as i read it.
For many EAP types, people do NOT store MD5 or crypt'd passwords,
> because they're useless.
So, crypted passwords are usefull only in web applications? I read a lot
lately about, how one should never store passwords in clear text, i guess
that applies only to web apps.
> I understand its not very
> > safe nor sane to store passwords in clear text, thats why I wanted to
> avoid
> > that, however it seems inevitable.
>
> It is safe, sane, and common practice to store passwords in clear text.
I do not have many experience with this, in fact its my first project on the
matter.
> I am managing a wired network for some 300 users, its a student dorm and
> the
> > university owns the network and they require authentication for the ease
> of
> > management and control. 802.1x felt like the right way to go, because we
> are
> > planning some wireless access points as well. There are HP's Procurve
> 2650
> > switches in use. I choose mysql db backend, because I also created set
> of
> > PHP scripts, where users can change their passwords and admin can
> > add/del/modify user info.
> > So what can one do to avoid storing passes in clear text or is it sane
> > enough? The server also serves some web pages and dhcp requests.
>
> Ensure that no one has physical access to the system storing the
> passwords. Ensure that no one has network access to the system storing
> the passwords.
That will be no problem, since I'm the only one with physical access.
I would also suggest running the RADIUS server and/or the MySQL server
> with passwords on a separate machine from the web/dhcp server. That
> way, if someone breaks into the web server, they won't have access to
> the passwords.
I am using VMWare server, so that won't require much work.
Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Thanks again, for clearing this up.
primski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071023/4d843567/attachment.html>
More information about the Freeradius-Users
mailing list