Freeradius doesn't detect EAP when authenticating against MySQL

primoz primski at gmail.com
Tue Oct 23 10:08:22 CEST 2007


On 10/23/07, Alan DeKok <aland at deployingradius.com> wrote:
>
> preem wrote:
> > So, what is a common practice to do this then?
>
>   It's not.
>
>   People store MD5 or crypt'd passwords when the ONLY authentication
> they're doing is PAP.  i.e. Unix logins, where the user supplies a
> clear-text password to the authentication system.



And PAP is not very safe and smart way to go as i read it.

  For many EAP types, people do NOT store MD5 or crypt'd passwords,
> because they're useless.



So, crypted passwords are usefull only in web applications? I read a lot
lately about, how one should never store passwords in clear text, i guess
that applies only to web apps.

> I understand its not very
> > safe nor sane to store passwords in clear text, thats why I wanted to
> avoid
> > that, however it seems inevitable.
>
>   It is safe, sane, and common practice to store passwords in clear text.



I do not have many experience with this, in fact its my first project on the
matter.

> I am managing a wired network for some 300 users, its a student dorm and
> the
> > university owns the network and they require authentication for the ease
> of
> > management and control. 802.1x felt like the right way to go, because we
> are
> > planning some wireless access points as well. There are HP's Procurve
> 2650
> > switches in use. I choose mysql db backend, because I also created set
> of
> > PHP scripts, where users can change their passwords and admin can
> > add/del/modify user info.
> > So what can one do to avoid storing passes in clear text or is it sane
> > enough? The server also serves some web pages and dhcp requests.
>
>   Ensure that no one has physical access to the system storing the
> passwords.  Ensure that no one has network access to the system storing
> the passwords.



That will be no problem, since I'm the only one with physical access.

  I would also suggest running the RADIUS server and/or the MySQL server
> with passwords on a separate machine from the web/dhcp server.  That
> way, if someone breaks into the web server, they won't have access to
> the passwords.


I am using VMWare server, so that won't require much work.

  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



Thanks again, for clearing this up.

primski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071023/4d843567/attachment.html>


More information about the Freeradius-Users mailing list