eduroam using Eap-ttls and securing user's password

[regemailster at gmail.com]

Hi all,

Sorry if this question has been posted before.

I have a simple question regarding how to ensure the user's password is  
never leaked or found out by anyone, including administrators of the radius  
server or the backend LDAP server.

My requirement is that I would like to store the user password as a hash  
(eg SHA-256) within the LDAP.

Now if I was to use this LDAP server as the authentication source for the  
Radius server for eduroam. I would need to use EAP-TTLS with PAP as the  
inner authentication (since I don't have a reversible password at the  
backend). Now I notice that because it uses PAP, if I enable user-password  
logging on the radius server, I can see the user's supplied password when  
their machine is authenticating to access eduroam.

This problem is even worse if the user is traveling at a partner's  
institution and using eduroam, in that if that partner insititution's  
RADIUS server has user-password logging enable, they too can see my user's  
password.

I wonder if there's anything that can be done to prevent this, or have I  
missed something in my understanding?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110617/faefaf51/attachment.html>