FreeRADIUS without Universal Password

Danner, Mearl jmdanner at
Thu Feb 5 18:57:48 CET 2009

Universal Password is encrypted. It's attribute name is
npsmDistributionPassword I believe. As a further protection it is only
readable by admin roles.

You'll have to set up freeradius to bind with such a login and get the
password and decrypt it. That function has been in freeradius for quite
a while. That process will give freeradius (internally) a cleartext
password to use for mschapv2.

We moved to all M$ products a while back, but used freeradius against
eDirectory for a couple of years before we moved to all Windows servers.
It was low maintenance and worked well for us. The only issue was the
moving auth target that M$ eap clients presented us. That's why we use
IAS presently. At least when it breaks it's their fault.


> -----Original Message-----
> From: freeradius-users-
> at [mailto:freeradius-
> at] On Behalf Of
> Jason C Brown
> Sent: Thursday, February 05, 2009 10:45 AM
> To: FreeRadius users mailing list
> Subject: Re: FreeRADIUS without Universal Password
> I had to ask, I have people telling me that this is a limitation of
> only FreeRADIUS and not all RADIUS servers in general.  There is a
> concern that the UP is being stored in clear text in Novell and we
> need to turn off that service and only use simple password.  Since I
> am no Novell admin I really do not have a clue if we can encrypt the
> UP that is stored on the server or what other implications there are
> in turning off UP.
> Jason Brown - RHCT, Security+, Linux+, Network+
> Systems Administrator
> Enterprise Technology Services
> Ferris State University
> (231) 591-2687
> On Feb 5, 2009, at 1:48 AM, Alan DeKok wrote:
> > Jason C Brown wrote:
> >> Do you by chance know if every RADIUS server acts the same way?
> >> instance would Steel Belted RADIUS require the use of UP as well?
> >
> >  Please read this explanation again:
> >
> >>> The Novell password is not stored as an attribute unless Universal
> >>> password is enabled. It exists in eDirectory, can be created/
> >>> modified by
> >>> ldap as userpassword but cannot be returned in an ldap search.
> >
> >  The password can't be seen by *any* RADIUS server until it's stored
> > as
> > a Universal password.
> >
> >  This is a limitation of Novell's LDAP server, and applies to all
> > clients, whether they are RADIUS servers, command-line clients, web
> > servers, or anything else.
> >
> >  Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list