FreeRADIUS without Universal Password

Alexander Clouter alex at
Thu Feb 5 10:04:17 CET 2009

* Jason C Brown <jasonbrown at> [Wed, 4 Feb 2009 17:41:49 -0500]:
> Is there a way to integrate FreeRADIUS without having to use the  
> universal password in Novell?
You need to send the password in plaintext to the RADIUS server from the 
connecting client, in the world of 802.1X this is typically done with 
wrapping PAP in EAP-TTLS[1].  It's what we had to do in the early days 
whilst migrating from a non-UP world to a UP I just have to 
work out how to dispose of Novell but that's another battle.

When you use PAP, you can just do a nasty bog standard LDAP bind and get 
FreeRADIUS to check that it succeeds and then work from there.

Once you are UP'ed you can then enable the horrors of MSCHAP and let 
those horrible Jesus Phones connect and what not.  Looking on the good 
side, no iPhones on your wireless network till you get there, so you 
might want to view this as a reason not to UP altogether ;)


[1] which is better than PEAP anyway as you have the option to 
	pre-config windows clients with a single EXE; if you choose to 
	use SecureW2

Alexander Clouter
.sigmonster says: Practice yourself what you preach.
                  		-- Titus Maccius Plautus

More information about the Freeradius-Users mailing list