Secure Storage and Transport of User Credentials

Phil Mayers p.mayers at
Wed Jul 11 15:21:44 CEST 2012

On 11/07/12 14:04, Marco Macala wrote:
>  > if you dont trust the network then you will also need to looking at
> using TLS to transport
>  > things around - eg RADSEC or a VPN tunnel.
> isn't the point of PEAP that i don't need them because it is wrapped in
> an encrypted communication?


>  > as for NT hash - yes, there are security issues but only if you have
> access to them
>  > or expose them - if you bind the FreeRADIUS system to an AD and use
> eg ntlm_auth then the NThash
>  > isnt accessed.
> The thing is, i can't use AD to store the passwords. Specifically, i
> would like to store the password as a salted hash.

You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires 
plaintext or NT hash exist SOMEWHERE. See:

> I want something like this:
> - encrypted channel between authenticator and radius server

PEAP or TTLS will provide this.

> - passwords stored as a salted hash

Only TTLS-PAP will provide this. See the link above. TTLS is not 
available until Windows 8, so you will need to deploy software on 
windows clients.

More information about the Freeradius-Users mailing list