AW: PAP dont decrypt

Phil Mayers p.mayers at
Fri Jul 23 10:36:08 CEST 2010

On 07/23/2010 09:18 AM, Lionne Stangier wrote:
>> You have edited the default configuration files and broken them.
>> You deleted "eap" from the "authorize" section, and then sent the
>> server and EAP request.  Don't do that.
> 	It was only a try ;)

Sadly, many people take a hatchet to the configs then seem surprised 
when things don't work! Best to make small changes one at a time and 
test them, and put your configs into version control so you can roll 
them back.

>> And if the passwords are stored as MD5, go read:
> I know this side because of that I tested pap.
>> Some EAP methods (e.g. PEAP) will *not* work with MD5 hashed
>> passwords.  So don't even try.
> I know that they don’t work. Clear Text passwords in the ldap are a no go.
> Cant pap encrypt the passwords and than eap or peap will start?

"Won't work" really means it. PEAP/MS-CHAP requires access to the 
plaintext password or NT/LM hashes, or access to a domain controller 
with such via use of the "ntlm_auth" helper and Samba.

It is cryptographically impossible for it to be otherwise I'm afraid.

More information about the Freeradius-Users mailing list